Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Exloader_installer.rar
-
Size
43.4MB
-
Sample
240519-bnw7msah42
-
MD5
6ec37ccf013515988cfc3a97daf53dce
-
SHA1
b823c26f84554acc649a6580d4922488024f196a
-
SHA256
c7b07fb622ddddee4ad0f1210783e7e6ce91a671d965e5952957052fda5cb37d
-
SHA512
6069ec2ad94285e3d4e077f9f2a31bd2fb319a0df31739730486ebdf2aa9e6a094a802bbc637997f33ce32212654c27fa3bc3b91d620ad4647b212f2477382a1
-
SSDEEP
786432:xhZFYqfv7VTHBuMwYep++Pk8GE7c9fQVQNurAGTszUJvprA1v1+08kEX9H:xhj57BubY8khE7c9fCQN8xsMRrAlDkNH
Malware Config
Targets
-
-
Target
Exloader_install.exe
-
Size
64.5MB
-
MD5
2f7a0a4c5f1f55b5cfccc5052f6b1030
-
SHA1
dd700f9ad38b976635c5ac68b7eec6af8e8e8993
-
SHA256
6eb7200b223303770879b7bfca6ce2e6845ee22679dd646eda28531db2ec5dd3
-
SHA512
fbbcc4672da7e40739bdae1996b0aa243b2e04dbeb58f2de025fabdbd927f98c2858e88f77a2c22c5b5dfda03f307c77e2b2b3cd588e81f5ec75091559b17e6c
-
SSDEEP
1572864:Doqyq5YGUBgSTZ9GjnqmaKDCFFTpB4feXEwDW:Do3tBVTZ9Gea0FTcFoW
Score10/10-
Modifies security service
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Creates new service(s)
-
Drops file in Drivers directory
-
Sets service image path in registry
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3