Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc

  • Size

    424KB

  • Sample

    240328-2fa8baac9s

  • MD5

    7660d1df7575e664c8f11be23a924bba

  • SHA1

    22a6592b490e2ef908f7ecacb7cad34256bdd216

  • SHA256

    612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc

  • SHA512

    77c22370eaed5e096a476778d24c26fcd0105d56419bbd1a5af125028dea702aa8537017629920de08f9b7c20d3b9242606e37ace3e456d34730d0e54f20c15e

  • SSDEEP

    12288:ryWjrJS5FchtDO/V4Cqi0RlYZTRjzg2AYU:ryoJ8KhtDgVfJLTRjs2AYU

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.209

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Extracted

Family

lumma

C2

https://herdbescuitinjurywu.shop/api

Targets

    • Target

      612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc

    • Size

      424KB

    • MD5

      7660d1df7575e664c8f11be23a924bba

    • SHA1

      22a6592b490e2ef908f7ecacb7cad34256bdd216

    • SHA256

      612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc

    • SHA512

      77c22370eaed5e096a476778d24c26fcd0105d56419bbd1a5af125028dea702aa8537017629920de08f9b7c20d3b9242606e37ace3e456d34730d0e54f20c15e

    • SSDEEP

      12288:ryWjrJS5FchtDO/V4Cqi0RlYZTRjzg2AYU:ryoJ8KhtDgVfJLTRjs2AYU

    • Detect ZGRat V1

    • Detects DLL dropped by Raspberry Robin.

      Raspberry Robin.

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Stealc

      Stealc is an infostealer written in C++.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Windows security bypass

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Modifies boot configuration data using bcdedit

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Manipulates WinMon driver.

      Roottkits write to WinMon to hide PIDs from being detected.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks