Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe
-
Size
1.8MB
-
Sample
240614-v1eb5stdpj
-
MD5
fc8b4ad76d2b7b814f6fcaeed5d0af75
-
SHA1
b14cd344e70a5fec100925d32d08399671e4f434
-
SHA256
022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2
-
SHA512
51743bf2bd10a993c9e097e19cb7f325483503b309a699be1b9e6686aeea77e987dcbedfee58ca3abf8b61b4410b71c0d9f73ae89d2603edd125f85465257347
-
SSDEEP
49152:z32SkrBRq+zNtYu3/UOXTqPsVNEYlv4jWBHSsY5B5AyZ:wrXtzL9vtqPuNEYliws
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe
Resource
win7-20240221-en
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Targets
-
-
Target
SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe
-
Size
1.8MB
-
MD5
fc8b4ad76d2b7b814f6fcaeed5d0af75
-
SHA1
b14cd344e70a5fec100925d32d08399671e4f434
-
SHA256
022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2
-
SHA512
51743bf2bd10a993c9e097e19cb7f325483503b309a699be1b9e6686aeea77e987dcbedfee58ca3abf8b61b4410b71c0d9f73ae89d2603edd125f85465257347
-
SSDEEP
49152:z32SkrBRq+zNtYu3/UOXTqPsVNEYlv4jWBHSsY5B5AyZ:wrXtzL9vtqPuNEYliws
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-