Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Enigma.exe
-
Size
1.2MB
-
Sample
240416-zwq8cscf28
-
MD5
d0f80a39b6f0a3beac677c6846c3b41a
-
SHA1
d7b1f3b1b53fa474247f9d4e63b959aa902866a4
-
SHA256
3ef10a8b44eb13fc45d40ced592fe9f1a83e6b021b3681da61f7cce688304047
-
SHA512
38cf9347f60cfa8a700f040e647deaac3309db71919b508ef7bf82f39b3497a5124413cdaae2ddc522200b23ab4c832f7c6ba72e673c8496ee8a36326c889270
-
SSDEEP
24576:3stMPfK4jgsfALDEx/AoO0RwqvpVQqblqJRYu/UZfh+n6A6qtFa:3stb+Jlp3gJerIn6ApF
Static task
static1
Malware Config
Extracted
gozi
Targets
-
-
Target
Enigma.exe
-
Size
1.2MB
-
MD5
d0f80a39b6f0a3beac677c6846c3b41a
-
SHA1
d7b1f3b1b53fa474247f9d4e63b959aa902866a4
-
SHA256
3ef10a8b44eb13fc45d40ced592fe9f1a83e6b021b3681da61f7cce688304047
-
SHA512
38cf9347f60cfa8a700f040e647deaac3309db71919b508ef7bf82f39b3497a5124413cdaae2ddc522200b23ab4c832f7c6ba72e673c8496ee8a36326c889270
-
SSDEEP
24576:3stMPfK4jgsfALDEx/AoO0RwqvpVQqblqJRYu/UZfh+n6A6qtFa:3stb+Jlp3gJerIn6ApF
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Looks for VirtualBox Guest Additions in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-