Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    NTS_eTaxInvoice·pdf.vbs

  • Size

    22KB

  • Sample

    240318-243x8sca6s

  • MD5

    44351f5b633f64c785a5cb681f54db24

  • SHA1

    72b14e85f0676ef6829937060fea448753c357b5

  • SHA256

    680acae485ed1f4a3ac87a63eb7b640f15019e6feb43664654c3f6c0ab4cc118

  • SHA512

    a26ff7a5faa522222a551bac2ac973135651aeb81bc4500ee18cab6c6b1f5a65f598bb7b8a8e244e03bdbfd42c34e534e6dd3cb882cf302c7afecd74be430be4

  • SSDEEP

    384:CE686K1TZNiwsye6fUoQvHjNTvDDzgN9g8gT:H686KZHipf6sFxDD3ke8M

Malware Config

Targets

    • Target

      NTS_eTaxInvoice·pdf.vbs

    • Size

      22KB

    • MD5

      44351f5b633f64c785a5cb681f54db24

    • SHA1

      72b14e85f0676ef6829937060fea448753c357b5

    • SHA256

      680acae485ed1f4a3ac87a63eb7b640f15019e6feb43664654c3f6c0ab4cc118

    • SHA512

      a26ff7a5faa522222a551bac2ac973135651aeb81bc4500ee18cab6c6b1f5a65f598bb7b8a8e244e03bdbfd42c34e534e6dd3cb882cf302c7afecd74be430be4

    • SSDEEP

      384:CE686K1TZNiwsye6fUoQvHjNTvDDzgN9g8gT:H686KZHipf6sFxDD3ke8M

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • UAC bypass

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks