Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    79089643736164d0100b69bdc309b4aa69f87f3c915bb80bed31f122e77c760a

  • Size

    2.0MB

  • Sample

    240621-258j4svbra

  • MD5

    b1f94dcb56edf7117429cfb1d64b1ded

  • SHA1

    a06a8280e6b605fbb2ca278df1be1be4e979a8e7

  • SHA256

    79089643736164d0100b69bdc309b4aa69f87f3c915bb80bed31f122e77c760a

  • SHA512

    47ffbcc807df8ab2b827bcebc23cacbb3f2e831790d3c37de2bffcedcad0c88513c97973ee96941ccd96c1bc0bd5ae4fef65be7d5e3306c721a692a91991df45

  • SSDEEP

    24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYt:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Yn

Malware Config

Extracted

Family

azorult

C2

http://0x21.in:8000/_az/

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EbayProfiles

C2

5.8.88.191:443

sockartek.icu:443

Mutex

QSR_MUTEX_0kBRNrRz5TDLEQouI0

Attributes
  • encryption_key

    MWhG6wsClMX8aJM2CVXT

  • install_name

    winsock.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    win defender run

  • subdirectory

    SubDir

Targets

    • Target

      79089643736164d0100b69bdc309b4aa69f87f3c915bb80bed31f122e77c760a

    • Size

      2.0MB

    • MD5

      b1f94dcb56edf7117429cfb1d64b1ded

    • SHA1

      a06a8280e6b605fbb2ca278df1be1be4e979a8e7

    • SHA256

      79089643736164d0100b69bdc309b4aa69f87f3c915bb80bed31f122e77c760a

    • SHA512

      47ffbcc807df8ab2b827bcebc23cacbb3f2e831790d3c37de2bffcedcad0c88513c97973ee96941ccd96c1bc0bd5ae4fef65be7d5e3306c721a692a91991df45

    • SSDEEP

      24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYt:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Yn

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects executables containing common artifacts observed in infostealers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.