Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    NordVPNSetup.exe

  • Size

    16.8MB

  • Sample

    240408-v6vajsfa47

  • MD5

    8916adb46ac66f510491eeef40eb2b0d

  • SHA1

    25318148e33077ede2689d67a495d9160b0f331d

  • SHA256

    e9131d9413f1596b47e86e88dc5b4e4cc70a0a4ec2d39aa8f5a1a5698055adfc

  • SHA512

    b7ca36f76cfbd13b05462e002e8e3d77edcea2cba7e1076ef4a755172f8b429e54061a52696a399e615a09d405cea21599d56ff19d1b209b8c9d2998b1595721

  • SSDEEP

    393216:9qVjnUv7EZs8DvzHiQFFz1c4vJvFozQMI3vv2Jknvk:KjnUv7Qs8D7iQnzHvJ9kTI3v+KM

Malware Config

Targets

    • Target

      NordVPNSetup.exe

    • Size

      16.8MB

    • MD5

      8916adb46ac66f510491eeef40eb2b0d

    • SHA1

      25318148e33077ede2689d67a495d9160b0f331d

    • SHA256

      e9131d9413f1596b47e86e88dc5b4e4cc70a0a4ec2d39aa8f5a1a5698055adfc

    • SHA512

      b7ca36f76cfbd13b05462e002e8e3d77edcea2cba7e1076ef4a755172f8b429e54061a52696a399e615a09d405cea21599d56ff19d1b209b8c9d2998b1595721

    • SSDEEP

      393216:9qVjnUv7EZs8DvzHiQFFz1c4vJvFozQMI3vv2Jknvk:KjnUv7Qs8D7iQnzHvJ9kTI3v+KM

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks