Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Debug.zip

  • Size

    25.6MB

  • Sample

    240515-yehn8agh62

  • MD5

    e1771579691287180aad10b698b8679d

  • SHA1

    a2af08015a3b6827dfda96a664986650eaa13feb

  • SHA256

    dd98100e3311787bf2f815552c9ac348c0d903849fba025eda2c5a0deec95902

  • SHA512

    cf419f9fe5d0e17d08ad6eab08726fa1d5889d411a25199b4cef58d6b05adea217737291856f37df8f075867ea2dee7267e17e4bc5ed2f0d62c4baadb0b4483d

  • SSDEEP

    786432:rxLROZXdpch44EfYbQkbC1V+iU9nO8gQzuc:JRoXdGyfY5NRdgQz5

Malware Config

Targets

    • Target

      Debug/CeleryAPI.dll

    • Size

      21KB

    • MD5

      99a217bdc8c685c3b0a319d9ea8a14db

    • SHA1

      4033ddd18b8050575fdc6c59476469e681c6a5d2

    • SHA256

      77d28d642ae0933ae522351fdb0b610045bbbf7911cfc8d8febbdea981a4ca19

    • SHA512

      2675b79714d748339bc041508c4ace30ea5a19e931f1b85ca3010e2642e3859c5089763a54346d02da7788b8daa3500664b3e471be63c5c6282e242272a8bdf5

    • SSDEEP

      384:V5hMn/3zqAaomvdkf0azg5mnUXHU6BV7rFY+EJs325Kc:I/zBCClNUX0e7Z835n

    Score
    1/10
    • Target

      Debug/FastColoredTextBox.dll

    • Size

      323KB

    • MD5

      8610f4d3cdc6cc50022feddced9fdaeb

    • SHA1

      4b60b87fd696b02d7fce38325c7adfc9e806f650

    • SHA256

      ac926c92ccfc3789a5ae571cc4415eb1897d500a79604d8495241c19acdf01b9

    • SHA512

      693d1af1f89470eab659b4747fe344836affa0af8485b0c0635e2519815e5a498f4618ea08db9dcf421aac1069a04616046207ee05b9ed66c0a1c4a8f0bddd09

    • SSDEEP

      6144:0R0J4lx4/7BA4xvNdcwCOg04j0y5mwZkdmsqmLDi5eNH+Dl1SIP0:0R0J48lAovNd7CO34D4b4eNO

    Score
    1/10
    • Target

      Debug/Newtonsoft.Json.dll

    • Size

      685KB

    • MD5

      081d9558bbb7adce142da153b2d5577a

    • SHA1

      7d0ad03fbda1c24f883116b940717e596073ae96

    • SHA256

      b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

    • SHA512

      2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

    • SSDEEP

      12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5

    Score
    1/10
    • Target

      Debug/WeAreDevs_API.dll

    • Size

      607KB

    • MD5

      ea1ad1e19e81df5cfcb4207563896153

    • SHA1

      d0391630a4d1eab58b59b62062413fd9a6d70461

    • SHA256

      ba4ede69fef9675f0c8dd546cf41d0c529fa2bd75965d6964709f20ae3681109

    • SHA512

      a9b65263739bb794f7d54db06ffbb1c42eeac367b252b820e2e93313e328592652890fa3c6e3ea5d04fa193854c87b499cb07e9b7afc1627de27b27d1cec8471

    • SSDEEP

      12288:XURkGrbk/x95DR7XZdfrXg+JwuKt/S/60pR5kjo5Bda7EptO:XIkyk/x9L7Xfw+Jwz/S/69k5BkApt

    Score
    1/10
    • Target

      Debug/Z3USExecutor.exe

    • Size

      38KB

    • MD5

      ddda400d62dc821bf59f0cb131ef2ef8

    • SHA1

      1478e4a92c79a1e82b8b836ad041562c9d4f472f

    • SHA256

      934426b127d021131fe551c3c276d162bcc4d9a4f4c47b09b63ce249bd2c4fef

    • SHA512

      f42ee72adea8ffb3559afeadb582830ba8e58a839adfaa0c617cf1acae9ff276ce48e9ae0bc7aeb3f8d995cd53ccfeb93378b3d034119034324ac428bfb00d6b

    • SSDEEP

      768:EU/KM0Esg+UASJidX6GXEwkWAMQQzsXEwkWAA:h/HsPUfJidX6GXEbWAwsXEbWAA

    Score
    1/10
    • Target

      Debug/bin/CeleryIn.bin

    • Size

      44KB

    • MD5

      25f3c6098361faa4454bbe0906dad240

    • SHA1

      94c464c4c0f6a857512aed18cb66ea0a8a8dcac3

    • SHA256

      f3724814aa158fd0841c066b86abb35d21624fcfff0552f2f1156824707be5ba

    • SHA512

      30ab91ce3990e5cb90ea465df488cc1b9a3f631598d21df06d526bff9e4a5e55f76de4f19735dcd469c3997807be6dea9951521cfc7e7a9662bc63c6f77392f8

    • SSDEEP

      384:DOLN/3yg6q0MEe7Tl8ckOUMnuFqlHGoMEpdh3q3DrZrxVsrQo9962B6woQXXvhK:DgaSX6cklFaGmSrZVUs2Okf

    Score
    1/10
    • Target

      Debug/bin/CeleryInjector.exe

    • Size

      3.1MB

    • MD5

      eb1f95642914c54314ba72ffcbc79caa

    • SHA1

      77c254bf9d968fc30da4a090b11b077d4ef4ff8c

    • SHA256

      657ad03d414e5b29c793d28a23e0bf0306cffe987caa19627fb420af4fa1471b

    • SHA512

      7c2fa06700b94bccad2707e0224a87954a416b7564a6e6822cb07ccd549202dbd2556cf80c7c92bd9c905c5e1a095de1c3f6343cc3a33b6895c95375ded70389

    • SSDEEP

      24576:VFvKJxoSmOrOcEOIwKTFZ/duJa3hE+c8/LRHpDGjP8YcR+9p3fWdsI/DOGNAaATt:fvK8OrX2Ea3IsDGjP8lRAp3fA/K2

    Score
    1/10
    • Target

      Debug/main.exe

    • Size

      54.0MB

    • MD5

      d453823128c1838b39f5f12970415f51

    • SHA1

      a341e0492587cc56e0acd418e468748b3890e1c8

    • SHA256

      df12586c4ee3135acc9987358b8fab58ebdf44b8f16d212dcd33c4c0e6e52ba6

    • SHA512

      f3ab392e87766e1ff7b101024661739e8a9006ec2dd43eee9a73e2c8cc259c92f9bbf976c36323fcd5b19ddf5672c2af400e8a20eead40963d099b5ebb84ef10

    • SSDEEP

      393216:Oh9Sgmr3h2Jp5MLurEUWjZEnBSVkRIrY87PoxiXeo61JRTJ+kpZTujKQKC9vVBO:o9KrhpdbwzcY87PCiO11LTdjKjKQKCT

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      Debug/runme.bat

    • Size

      88B

    • MD5

      e142cf3e2623bebd2aaf5041acf658cd

    • SHA1

      fadcdd610b7805101ab2aa60b7a56fae4bae6c76

    • SHA256

      a8570d58d87c7e293cb45b401b06637cca30a44f5056726d16f83a104ba70722

    • SHA512

      865f620ea9388521f5566e253f6c735b8bcd0d24a04de20f70d8768199ee901474adaa33fb97ae5e7b19693d7ceed3d1df6b418554be8e26b517a0541b65f577

    Score
    8/10
    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks