Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Client-built (2).bat
-
Size
1.6MB
-
Sample
240511-a75gpaed59
-
MD5
da7beeb28254ec3bb319060398c5818a
-
SHA1
99378e5615053698c3adcd02732389dc71d2b2eb
-
SHA256
d515f6ca3e692713a94fe4066bbba25b4d6157af0606ca17bde5c0d4f3a6e02b
-
SHA512
7d6322396e8ecbe5e3303dd96cc1a396037d2f7d47b50714725b1138f4fc650b0ccfa1a43dd233703a860c1109a21eba527a1714319f4a08bf1a23d4b9c4a0b2
-
SSDEEP
24576:W0aS2MAjGvh1FiDkgGi2P6xE/NPe+JXe5PRnr1uyQAI9elDqYemJe+RTeteMuSdb:NaeAjWFb/gEYtX0FmhRpTj0
Static task
static1
Behavioral task
behavioral1
Sample
Client-built (2).bat
Resource
win7-20240221-en
Malware Config
Extracted
quasar
1.4.1
SeroXen
127.0.0.1:65362
common-congratulations.gl.at.ply.gg:65362
fc4e70a0-8aae-4cde-9ee1-344a509436e2
-
encryption_key
CBC19B9A3E9EB4E5A14FBE92CED9111175A659E7
-
install_name
$77-$77-powershell.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
$77-$77-powershell.exe
-
subdirectory
SubDir
Targets
-
-
Target
Client-built (2).bat
-
Size
1.6MB
-
MD5
da7beeb28254ec3bb319060398c5818a
-
SHA1
99378e5615053698c3adcd02732389dc71d2b2eb
-
SHA256
d515f6ca3e692713a94fe4066bbba25b4d6157af0606ca17bde5c0d4f3a6e02b
-
SHA512
7d6322396e8ecbe5e3303dd96cc1a396037d2f7d47b50714725b1138f4fc650b0ccfa1a43dd233703a860c1109a21eba527a1714319f4a08bf1a23d4b9c4a0b2
-
SSDEEP
24576:W0aS2MAjGvh1FiDkgGi2P6xE/NPe+JXe5PRnr1uyQAI9elDqYemJe+RTeteMuSdb:NaeAjWFb/gEYtX0FmhRpTj0
-
Quasar payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-