Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    05042024_0242_Tax_Document_23.zip

  • Size

    1.1MB

  • Sample

    240404-xcskzafa7z

  • MD5

    5daed7551ef99616e2756e51b113f685

  • SHA1

    e0be374bb3d14c047cb9e5568401258ac2b17fe2

  • SHA256

    f515492977637fd5604c5fc46a64fdde688d12ac9a3850991d88b7d10803cbc5

  • SHA512

    54afd1537eef93c3465bd0892c1eed81de1bb77a28adc819ba3b6193839fe291c9c1082ca2ac5efcb16bc6bf5330ce1d76684ca10359dda943a8f8bdfc1b1f91

  • SSDEEP

    24576:iyLCY0qQ7Yny5BcNcSoj4jCKEnVAUdmLEvhmJIo:iyTBQUnkBcAjJV1t4

Malware Config

Extracted

Family

darkgate

Botnet

seal1

C2

193.142.146.203

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    AVUHIwtf

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    false

  • username

    seal1

Targets

    • Target

      Tax_Document_23/IVIEWERS.dll

    • Size

      2.2MB

    • MD5

      6fa5ccb9fd4c3ff6d0c98fd22789085a

    • SHA1

      d0134291f882df3ab8742e89aad45abdd5a503a1

    • SHA256

      c12db3f77c4c7d51863e7b7453ecb92145214673774724e8e07c988410d646ed

    • SHA512

      6d3382b74eeb0c983c3d8438549b27bd014360a7b002e7e9e25c8eecb7ac418c5975c5a8b37fc16ca8e425f1b90aa4c22b6b6d6500e4d6ebcdee7e9bfd7fd0e0

    • SSDEEP

      24576:zPIcwYtNeFBVgPFCrqiWESjoXSTPFU5gG2wjIYAFvvcFd7gQ/8BdGhhg8x2IeYSn:3tNyBVsC9zCFSdS/YBUvqQyK

    • DarkGate

      DarkGate is an infostealer written in C++.

    • Detect DarkGate stealer

    • Blocklisted process makes network request

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Target

      Tax_Document_23/Tax_Document.exe

    • Size

      186KB

    • MD5

      df33c821c06835a1349cbe3b0c65f24c

    • SHA1

      5ddbb84801115d8e495b14c3963f6b174b5801f2

    • SHA256

      0263663c5375289fa2550d0cff3553dfc160a767e718a9c38efc0da3d7a4b626

    • SHA512

      13a9eff075b12b6ef398e103eda806ceed737665d35955c8882defd63ef0c9e25ecfe856ebf5560cbb61a02821ddcf9993290138fa8cdb0150ebbe0b7a1e6195

    • SSDEEP

      3072:IUiDZK+VBulx0QtCggULGWtf5Ju+uaxObQPEoSlpcm8Cy/V:wZjz2NqWtfHduaxOEPJAcmgV

    • DarkGate

      DarkGate is an infostealer written in C++.

    • Detect DarkGate stealer

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks