Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
NTS_eTaxInvoice·pdf.vbs
-
Size
22KB
-
Sample
240318-243x8sca6s
-
MD5
44351f5b633f64c785a5cb681f54db24
-
SHA1
72b14e85f0676ef6829937060fea448753c357b5
-
SHA256
680acae485ed1f4a3ac87a63eb7b640f15019e6feb43664654c3f6c0ab4cc118
-
SHA512
a26ff7a5faa522222a551bac2ac973135651aeb81bc4500ee18cab6c6b1f5a65f598bb7b8a8e244e03bdbfd42c34e534e6dd3cb882cf302c7afecd74be430be4
-
SSDEEP
384:CE686K1TZNiwsye6fUoQvHjNTvDDzgN9g8gT:H686KZHipf6sFxDD3ke8M
Malware Config
Targets
-
-
Target
NTS_eTaxInvoice·pdf.vbs
-
Size
22KB
-
MD5
44351f5b633f64c785a5cb681f54db24
-
SHA1
72b14e85f0676ef6829937060fea448753c357b5
-
SHA256
680acae485ed1f4a3ac87a63eb7b640f15019e6feb43664654c3f6c0ab4cc118
-
SHA512
a26ff7a5faa522222a551bac2ac973135651aeb81bc4500ee18cab6c6b1f5a65f598bb7b8a8e244e03bdbfd42c34e534e6dd3cb882cf302c7afecd74be430be4
-
SSDEEP
384:CE686K1TZNiwsye6fUoQvHjNTvDDzgN9g8gT:H686KZHipf6sFxDD3ke8M
Score10/10-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
UAC bypass
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1