Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75

  • Size

    1.8MB

  • Sample

    240427-vm6t8sdf7w

  • MD5

    3129fec389a088955fae72aa12b20ef0

  • SHA1

    e4cc27027754574a6abdf0010333930016b37fb5

  • SHA256

    acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75

  • SHA512

    918ac19261d99d7ea7cc92bdf6e72a8caff90eb6241c650fe95cf0230bce9af8bc52231c0a7452244b88b6024b0061351520e57400952e4bf4191e67bc8139e9

  • SSDEEP

    49152:r3/bnfCUYZWGdSbS36Q5DTFpcL4Mne/qMFZQK:rjnf2vFpcL1uFZ

Malware Config

Extracted

Family

amadey

Version

4.20

C2

http://193.233.132.139

Attributes
  • install_dir

    5454e6f062

  • install_file

    explorta.exe

  • strings_key

    c7a869c5ba1d72480093ec207994e2bf

  • url_paths

    /sev56rkm/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

C2

http://193.233.132.167

Attributes
  • install_dir

    4d0ab15804

  • install_file

    chrosha.exe

  • strings_key

    1a9519d7b465e1f4880fa09a6162d768

  • url_paths

    /enigma/index.php

rc4.plain

Targets

    • Target

      acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75

    • Size

      1.8MB

    • MD5

      3129fec389a088955fae72aa12b20ef0

    • SHA1

      e4cc27027754574a6abdf0010333930016b37fb5

    • SHA256

      acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75

    • SHA512

      918ac19261d99d7ea7cc92bdf6e72a8caff90eb6241c650fe95cf0230bce9af8bc52231c0a7452244b88b6024b0061351520e57400952e4bf4191e67bc8139e9

    • SSDEEP

      49152:r3/bnfCUYZWGdSbS36Q5DTFpcL4Mne/qMFZQK:rjnf2vFpcL1uFZ

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks