Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
f58c41d83c0f1c1e8c1c3bd99ab6deabb14a763b54a3c5f1e821210c0536c3ff
-
Size
4.8MB
-
Sample
240410-sa76esfb3v
-
MD5
259f06fcdb971f606d239b3178110981
-
SHA1
e2180bf4b9783d42d396826fc25ff8f9394cd430
-
SHA256
f58c41d83c0f1c1e8c1c3bd99ab6deabb14a763b54a3c5f1e821210c0536c3ff
-
SHA512
1c3bdadf325a498133788afba3fe1f8c684079345753ae4c09b4562bfb445a2cfbce132e133ca04cb689fbe9a883f681c1fcf28cfed785a63e51edc3fcf327dc
-
SSDEEP
49152:HwV7e4UdEmFoxt6LT/cZv17kbW6PaxjAzW0q0Myqi5jCeazHTL/HR85zA:HwVAzcZdYbW6yxUz40My5jCe0HP
Malware Config
Targets
-
-
Target
f58c41d83c0f1c1e8c1c3bd99ab6deabb14a763b54a3c5f1e821210c0536c3ff
-
Size
4.8MB
-
MD5
259f06fcdb971f606d239b3178110981
-
SHA1
e2180bf4b9783d42d396826fc25ff8f9394cd430
-
SHA256
f58c41d83c0f1c1e8c1c3bd99ab6deabb14a763b54a3c5f1e821210c0536c3ff
-
SHA512
1c3bdadf325a498133788afba3fe1f8c684079345753ae4c09b4562bfb445a2cfbce132e133ca04cb689fbe9a883f681c1fcf28cfed785a63e51edc3fcf327dc
-
SSDEEP
49152:HwV7e4UdEmFoxt6LT/cZv17kbW6PaxjAzW0q0Myqi5jCeazHTL/HR85zA:HwVAzcZdYbW6yxUz40My5jCe0HP
Score10/10-
Detect ZGRat V2
-
Modifies Windows Defender Real-time Protection settings
-
Modifies security service
-
OutSteel
OutSteel is a file uploader and document stealer written in AutoIT.
-
SaintBot
Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.
-
SaintBot payload
-
UAC bypass
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Modifies Installed Components in the registry
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
5