Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Nicht best...24.zip

windows10-1703-x64

1

Zeus 4.7.2.exe

windows10-1703-x64

10

Zeus-GUI.pdb

windows10-1703-x64

3

ZeusHex-GUI.deps.json

windows10-1703-x64

3

ZeusHex-GUI.exe

windows10-1703-x64

1

ZeusHex-GU...g.json

windows10-1703-x64

3

Resubmissions

07/06/2024, 15:13

240607-slps8aac5v 10

07/06/2024, 15:11

240607-sk3zfsbb99 10

07/06/2024, 15:08

240607-sh7vmaac2s 10

07/06/2024, 15:05

240607-sgnqcsbb65 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Nicht bestätigt 879324.crdownload

  • Size

    1.4MB

  • Sample

    240607-sgnqcsbb65

  • MD5

    e3970ffa96653f138e63ad0148970dac

  • SHA1

    b466278571bc1b20f2cf767b2222c17449ee1dbc

  • SHA256

    5a32b1864bcb2d237aca956c3b7474c2de484c38cbaa608ab5ffc71214bae2b8

  • SHA512

    af9e28a39cda24521ad4239d8c616bffbb63a44ae3efedbf9320f83146b5ada758fc2d76fdba07e89bf9066088fd7159650b66c998549c49fbdade1022c0a163

  • SSDEEP

    24576:CvJwL1rOBrsdTKf8oyVJHOohsXiV61rbXWcbd7JFV9MGiwS5OlliRw+gj8jbpRtQ:yJwxrOBaTKf8NVtOPXdbNHFVKc/izgjz

Score
10/10
rhadamanthysevasionexecutionpersistencestealer

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://rentry.org/lem61111111111/raw

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://bitbucket.org/43g34g34g34/34g34g34g34g/raw/e946dd91d069dd0a14070ddbc4920354650bd041/lem.rar

Targets

    • Target

      Nicht bestätigt 879324.crdownload

    • Size

      1.4MB

    • MD5

      e3970ffa96653f138e63ad0148970dac

    • SHA1

      b466278571bc1b20f2cf767b2222c17449ee1dbc

    • SHA256

      5a32b1864bcb2d237aca956c3b7474c2de484c38cbaa608ab5ffc71214bae2b8

    • SHA512

      af9e28a39cda24521ad4239d8c616bffbb63a44ae3efedbf9320f83146b5ada758fc2d76fdba07e89bf9066088fd7159650b66c998549c49fbdade1022c0a163

    • SSDEEP

      24576:CvJwL1rOBrsdTKf8oyVJHOohsXiV61rbXWcbd7JFV9MGiwS5OlliRw+gj8jbpRtQ:yJwxrOBaTKf8NVtOPXdbNHFVKc/izgjz

    Score
    1/10
    behavioral1

    • Target

      Zeus 4.7.2.exe

    • Size

      173KB

    • MD5

      28e0ba051ad84949cfedd2a58b1636cb

    • SHA1

      6ff46613adb7594c6abbe0ee9c64a68129501fb8

    • SHA256

      265013eb61e407130b8fe723809549000ffe4ad96ef6c5ad1945e2727cee5aa0

    • SHA512

      a14ea1a7e8756e15aee996c848006a1f2212acd753ca1629224b362fe8ef24331c49617f59bd84846b95a2143744418bbd78a4d0088efab76228344662ae67a4

    • SSDEEP

      3072:NPBBih6XScZZmmiyQrcR6qx6LAIxkN3wlCxvxrtJRscwX7zhhxXNrykAOkvpObQ:Nyh6XffliyQrC6LAIxkpwlOJrtJRscwi

    Score
    10/10
    rhadamanthysevasionexecutionpersistencestealer

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      Zeus-GUI.pdb

    • Size

      32KB

    • MD5

      d2f1182da0077f1e60e33f1efa03584a

    • SHA1

      af832c5fe748ff688a03823bf47ed5902fbe4236

    • SHA256

      593169a5292387ff27c5c5de33db0fa1eaf65290fd52c6ff93d49233e7ebdebc

    • SHA512

      b88d30fa31a885e5b1cec1306ec446d85f2be689f7e043d4e85ea98c4cbec052558aa1555576a640fc49d890763732a7306ff492a788439d5792ebf566e43c1b

    • SSDEEP

      384:bOxouqQ9n3YucMaWQbuKaasvSlKzGIEoDL0EhM7bjeArX9komVAQHHfisbHtixhV:CxvqG3D+2LQeEatahvH45wF3e4Mjl2

    Score
    3/10
    behavioral3

    • Target

      ZeusHex-GUI.deps.json

    • Size

      55KB

    • MD5

      33784d40d169fa2ad9bfa73eda3ea7ef

    • SHA1

      4e1d0fd1107a990e36050339b1726493a9a6f31a

    • SHA256

      2fc1a3f36e616cbc3cd8be04f8bf7ed49f927b69b4dc14e8a21ed65fe262eb08

    • SHA512

      e2d05e91bf1df0ec66336a6f04e18fc0fee0da3e297765848fa8e8649e7bc4a25cb5f599e43e293be5ee9f5e76f66b99958c13239c9324b1c5500fb3f6c4c7d3

    • SSDEEP

      768:YXlcu7EJBuR6ML1O/1u33ZHZsSB1W0YQR:Wlcu7EJBuR6ML1O/1u33ZHZsSBLY0

    Score
    3/10
    behavioral4

    • Target

      ZeusHex-GUI.dll

    • Size

      1.3MB

    • MD5

      ad714ee48d2e829c5012c65de6166c05

    • SHA1

      5880bac89ca346dae62c053aa49c028372388edd

    • SHA256

      7d32d13d123871650794a1e172adc70bc8dafbdb762f49d889f813844d532b20

    • SHA512

      a51252950455dbfb5dfd564689e605b022bdf26f80ad12f3fde3e341a14b8f764324ff3be6f29e4855bd499141e23628e9aabb0e439627dc802814db091d54ee

    • SSDEEP

      24576:ZfaPwrgBrO1BKH8jPcWYVxHCoh0XeV61r9qZWe7d7NWS91GsVz9cebgS9aI:ZCPwrgBWBKH8jkDVFCNXODzWS9HfX0HI

    Score
    1/10
    behavioral5

    • Target

      ZeusHex-GUI.runtimeconfig.json

    • Size

      266B

    • MD5

      d720176a229e9d969b40fabeb0baf62e

    • SHA1

      f2d8e97a6c6098a10dd80553eaaef7547ad32ba3

    • SHA256

      321b4e463bbacd6113aa337511bdebf5e7356e9971744346b28424607c7b483a

    • SHA512

      0844f9aca147014a68248c43310bf97e0a0a3679fc84650aa0a27aa09f70f56fa071c0ace1be80f0e33ce4dd3f865eae11e946d98d21af916dc1a7f945acaba0

    Score
    3/10
    behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Modify Registry

1
T1112

Credential Access

Discovery

Process Discovery

1
T1057

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks