Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    v5.exe

  • Size

    15.8MB

  • Sample

    240529-qetsgsgc48

  • MD5

    3f520362308d33e2810e7a13e6d57e35

  • SHA1

    b4a43ac54deaab2a5ad11258aa49a33652e28eb7

  • SHA256

    77c54133f9c02b492c56056dd000b700ca32bc7990d1eb2190d65768f99be01b

  • SHA512

    b1e0057b77dd148cbfe7d7f2c78f9632e1cc75dcbade64291a1193bff047cee753968706d09b8c88f3bdf065fb8e161c373983a3ecdf8839a21b5496f7763c8a

  • SSDEEP

    393216:2l0ceFaaCz5/B0TUo+uwphgoHrQlDgn8LPDRyL:2HSaa+0CO+wDgn2

Malware Config

Targets

    • Target

      v5.exe

    • Size

      15.8MB

    • MD5

      3f520362308d33e2810e7a13e6d57e35

    • SHA1

      b4a43ac54deaab2a5ad11258aa49a33652e28eb7

    • SHA256

      77c54133f9c02b492c56056dd000b700ca32bc7990d1eb2190d65768f99be01b

    • SHA512

      b1e0057b77dd148cbfe7d7f2c78f9632e1cc75dcbade64291a1193bff047cee753968706d09b8c88f3bdf065fb8e161c373983a3ecdf8839a21b5496f7763c8a

    • SSDEEP

      393216:2l0ceFaaCz5/B0TUo+uwphgoHrQlDgn8LPDRyL:2HSaa+0CO+wDgn2

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks