Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88
-
Size
3.0MB
-
Sample
240521-zaq1gahd77
-
MD5
7930c72a0629b7d98cae323593175068
-
SHA1
3b53d631f69d7c1315b66c6c5ea43fc2dfb5d947
-
SHA256
2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88
-
SHA512
4053cf95786a933209f4ace73d7ae693816b288c8aa04bff3e2458e29e57d745710aabab70a86ff32ebedff3fe8f1be10c2976a659784de4c896017f0a9e30e8
-
SSDEEP
49152:AZ2fRPDpkR3/hESpjo4uLDI3KoSPq3cXtFvOUcx3twYvr0G56/FBwzpTZoKh:07ZJ89LDSKrq3iGnnw+1YXw9OK
Malware Config
Targets
-
-
Target
2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88
-
Size
3.0MB
-
MD5
7930c72a0629b7d98cae323593175068
-
SHA1
3b53d631f69d7c1315b66c6c5ea43fc2dfb5d947
-
SHA256
2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88
-
SHA512
4053cf95786a933209f4ace73d7ae693816b288c8aa04bff3e2458e29e57d745710aabab70a86ff32ebedff3fe8f1be10c2976a659784de4c896017f0a9e30e8
-
SSDEEP
49152:AZ2fRPDpkR3/hESpjo4uLDI3KoSPq3cXtFvOUcx3twYvr0G56/FBwzpTZoKh:07ZJ89LDSKrq3iGnnw+1YXw9OK
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Detects executables containing bas64 encoded gzip files
-
Detects executables packed with SmartAssembly
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-