Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Dropped Malware.zip

  • Size

    9.8MB

  • Sample

    240703-2z1bjszhqr

  • MD5

    d0581ce7e9911fcd2a002891bde2aa99

  • SHA1

    f0c26a67290790cb04d6d8518fb1ca45350ea593

  • SHA256

    49042e86af4503a917b8408c4faab2759688065a429015a2c90430fa7371291f

  • SHA512

    8363e7e3b2cd0f7354667bb50eba432219e261a35e21edfa8688e1cc36abe22da25ae6c8019222aec24f2ba248f817dd60c081efcf993302f370e7a6a084a9f0

  • SSDEEP

    196608:Lq06dZiAS83wMTzBEOv2hFjQLTemwT9BlCljndX5OoGEFBZEbQB8HsK:QL3PEE2hFj+Tyv+ndlIbQB8H5

Malware Config

Extracted

Family

snakekeylogger

Credentials

Extracted

Family

remcos

Botnet

1218202300

C2

softwareupdatexkwre.duckdns.org:45682

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    hdgd-8HWPTM

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://mail.hearing-vision.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    LILKOOLL14!

Targets

    • Target

      Dropped Malware/01622664c6bf1a51484157d73fb4a42f.exe

    • Size

      106KB

    • MD5

      01622664c6bf1a51484157d73fb4a42f

    • SHA1

      31ff8fb02c3ee252dc497f3768c236d5ccc71199

    • SHA256

      4a69a64d652063b65cfe7f7ad5e54491b06547c783d74147c79cb9145536cf26

    • SHA512

      378c7afb1186edf12fb0ee9d453d36ca260359e1a666b9b4f0141d62650956918efeaf38de7c7671e5aa4efad3f92b04d0d6696abe84a4c2aff7a916d3ca53c3

    • SSDEEP

      3072:wGUSliz0dH2QskPV6+Mt/5z8SyIW+5Iy5iFjEd0twj:lUSlfB9skPVEtBAc2y5iS0aj

    Score
    1/10
    • Target

      Dropped Malware/1.exe

    • Size

      76KB

    • MD5

      5f9a82f873e71e023fa72a03c6f91bb5

    • SHA1

      511174a6e1d7a4c8450bc4ba8a0c8cd813419960

    • SHA256

      8c13fdcfeb87abd390f487e9d51d7edcdd6073951a5f96e5c0b1f7d899874932

    • SHA512

      b953523757a91dac93ebe8dbc194b89a5bf62d7b89d628cc73a99f37cfc227f463a2928189752c83f7b8355c7abb985317a75e8c6d1372849569763323e64cb6

    • SSDEEP

      1536:HQGUSliUwsf2aH2CyQwvN6sWLLb291q6+6EKft/B6CLP8SZstBkqPyB6:wGUSliz0dH2QskPV6+Mt/5z8SyIW+6

    Score
    1/10
    • Target

      Dropped Malware/BNP DOC 12578945329763-7633562829.exe

    • Size

      2.1MB

    • MD5

      864ec5148797f4e02d42e1bccd9a6fe7

    • SHA1

      bc0a0146ef1d4fbab0b1a75c82cc45bbd94b4f2f

    • SHA256

      0ec61eda09a5b90027808d2295a193eb7a8e81d440e5460d00a69328c2f9ee81

    • SHA512

      13e2bc609ac3fe021b39ffb783d7dda07eb5028752cc22c4adf0363b23624c92618b83b913e95bbc8c854341eb2fc8be5bf6903699031623a8a50b167b593f49

    • SSDEEP

      49152:nOD+bTI6YTDml4HJPHDQkOBU0f9iygcrxZ3aU5ZNIrRo2ht1W1cvkN8TCiJ5QtbF:Gv85wDJ5QtB

    Score
    10/10
    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Suspicious use of SetThreadContext

    • Target

      Dropped Malware/Comprobante de pago_978989689.xla

    • Size

      170KB

    • MD5

      d0055b08c9a93f662b3a234a984ceb2f

    • SHA1

      8c6df2ae8820912744ce8b717604399bbde46a66

    • SHA256

      7203e2e674817c3cc2080d810a2e09323100163a1bd8f8d4ffbf5b9b1729b9c1

    • SHA512

      d01d458aeac1c9d027b05af24e51984004d3800d658af7e77798e8352059db2c22377775c7cadf94940b8c4622f501181c40006193d7bf96f97dceb041d1b88d

    • SSDEEP

      3072:y8tq3KR9pLmLX6MOXG0A6OM1Qr6tjtmTgY3A1bPjbw2wB5bFJvqNX:y6NCLX6b2ctjtmT5uE2wB5vv4

    Score
    1/10
    • Target

      Dropped Malware/Document BT24·pdf.exe

    • Size

      651KB

    • MD5

      55d49f5f1c74dc50dd5ca4b0298a9e5d

    • SHA1

      594dd375a711937812fa7c93ec57eed34fa50edb

    • SHA256

      aac1416d21318d7eec4ecc4e87d91cfbee0b5d569ff9642070c9947c4c59265e

    • SHA512

      774ca13ec168e3fe9da983cf6055852c61d39a893b620c5de8e65e725b28baadebe0a5e0b92ddfe9e41dafa4c0d29221b6fe2e4457544618d2ae47c15f5a9790

    • SSDEEP

      6144:z9KOQS4B4GMSGJpFhm0fwtOiCB+VlFbdu3ucUHJxk1p8Tl82nRDJE6pYIQZA:zsB4GOVyquXY1E8obE6pYO

    Score
    8/10
    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Loads dropped DLL

    • Target

      Dropped Malware/Jailkeeper.exe

    • Size

      858KB

    • MD5

      c7eefc30a9cdc5bab3269cefde2d221e

    • SHA1

      27914bc81bdc74d9607784d9e239f5437b1e8cb1

    • SHA256

      2a089fc9b24c5253a913526be0ac2ee62b911a96645cb70885d678c91dcb83c9

    • SHA512

      fce33213726f84946162e2c115f67dc4dbfe60af9ca6b6ceb75d576f9370abc98ed0309acf617a2c6f34ffc023632ce1b32391716190980aceb4af84dce3798c

    • SSDEEP

      24576:XcIjUna3iVPF+zgyKKht6APjMtiVBsRXRU:kbF50httQbi

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      Dropped Malware/LHDNM TAKSIRAN 2023·pdf.exe

    • Size

      639KB

    • MD5

      0609cbf05b1169cd11a37910df2d74c0

    • SHA1

      7d2dd3c50535783bd6d2755c3fa9b9f810c12f13

    • SHA256

      798354959e95dc35440eb858765cf22e9e16b7577bba1b637b554aeb27fe86dc

    • SHA512

      d1874d83b1b1f6765af5806564cd039cdd0ea03d149c58bff9deccc8d7c1587c46e8681ca00c3ec14801bab23a9b984f9fc1e8438608d415571dadc7ab3de576

    • SSDEEP

      6144:z9KOQS4B4GMSGJpFhaI27ySqUawlTFEHhq9/GtGOzx65MTOjbpUYpVslMDRkQZI:zsB4GOaJ6UrFh/GtGOzQ5MTOjb9pWeA

    Score
    8/10
    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Loads dropped DLL

    • Target

      Dropped Malware/Order 000293884849900.exe

    • Size

      867KB

    • MD5

      bac47ab495ba1e8f2d5aed655ce5b255

    • SHA1

      5fd56170add16e9e7fabe8683251d55e28e95e3e

    • SHA256

      1d8f40654fc90da579349546b0c74fc7334ad8a6fcbf21f87815715e644950d1

    • SHA512

      34fb9092b82774fe5495a35bd5da9546a283645a66c5e236b7e8103df946190b1cc42d7fd1941afa45e0f30f2c700d517756bf08cd8b4e36df2069a917d4dfd1

    • SSDEEP

      12288:XcIjd3nQIQsk3na+Qi9lO7raaXyH1JAnItJFxFm8RLbNk388mYpATkFRs2/mA8:XcIjUna3iDzGw1+ItbfNI38DYpATGshB

    Score
    7/10
    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      Dropped Malware/PO 903886563 PDF.bat

    • Size

      3.3MB

    • MD5

      617c9a6889d4ff7ddb750572820c92ca

    • SHA1

      6d6eff808d2cef7d5e9e4d080732dd1af1d0df59

    • SHA256

      3fae97aaff7c1019e9c999a6d7cc3878dbde9f457b7e89b25081c519183b282d

    • SHA512

      d9a04b2e24a5ec6e53ce295796ea82b954ee0338209384f4aa3e963ef80cffa44d40188245e1a064ff734beb99c7b2a4e953a2beaa02d7a598c07c8988103947

    • SSDEEP

      49152:KVVV5AimK+13kDHc1Fc0sUiXltqXZ0IdSMvnH4db2G7+:l

    Score
    8/10
    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Target

      Dropped Malware/PO2024-0961.exe

    • Size

      1.2MB

    • MD5

      72f3a4a4cc00e2b6f64e0a204678de73

    • SHA1

      9abfc40bb6c14ab8414a2a5990b7efbb90073b22

    • SHA256

      c10e5f7f008da5ed2a5b08326d57e7d6b052644df78facc7bbdca7b0ed366254

    • SHA512

      a0d33db745e247c63c2315c55c004b5e25e86b45ad454adc2c4121dbac44dc3418cec4ebf790c039b71f00668881dd66b83a87448eab3b83e06ea7ffe8b4c111

    • SSDEEP

      24576:RAHnh+eWsN3skA4RV1Hom2KXMmHaehqzGtIK+5i5DrgNV7N5:oh+ZkldoPK8YaehFyx5IDrU

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Drops startup file

    • Executes dropped EXE

    • Modifies system executable filetype association

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    • Target

      Dropped Malware/PRODUCTS LIST pdf.exe

    • Size

      541KB

    • MD5

      32c4e05aa7f5a3db58952fc06a00431d

    • SHA1

      db05864bb7349e3e4cb35d51a03c7110d049fa8f

    • SHA256

      a745afdd5cb81567de1560ead34145f713b7894058aa2097d755bf5d09b9d34f

    • SHA512

      88880e24e35ca74001b9e20599c8bab3f11f37b200d14517a2a985adbc0f20247538c5d2646d2f6bdaac4d72fbb35f36e38ea5386c323d4b0881ddd7b4c52f3f

    • SSDEEP

      12288:l99glhxbCawPRlsp8UQnF6mYlBNS61kf4mQKBWQ2:lGwJH5nEtS61MnQKBWQ2

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      Dropped Malware/Product Inquiry466789.xls

    • Size

      464KB

    • MD5

      9a188fc2dccb4a90c872e16259462fa7

    • SHA1

      e56151f5e64aadedc0d4b173041cace2f8edf246

    • SHA256

      3a7d034a793a0f03dc9930446aebf326320140584eeb171909962ec7123f9e5e

    • SHA512

      090eeeb19d56668615c4efce2ab06e547e9ecec0f5f7e629afdeb1008db8644357b35230ff574c74c0be05c273dcdc7bd3ce5ae4ae545d27b3dc442101785c63

    • SSDEEP

      12288:8uyqFzu4L0o37h6NCLdyJa9xeBDh8UTxDyJ:8izu4L0I96NCRyJa9xeBDlT

    Score
    1/10
    • Target

      Dropped Malware/Quote Request (Tupy S.A.) 523AM - 924BR·pdf.exe

    • Size

      648KB

    • MD5

      93a658e985408e0538044b8b91a2729c

    • SHA1

      c1f250915cb43fc6a46d29dc28a1f09881fe0ded

    • SHA256

      1789a36b829cd09dc4fd24323a0d1bb900494714b4cc7083af651630f2c42d2f

    • SHA512

      5337c140a778e4ababf7dd82fcd280feb2a7e9e9db981c7fed1fff9c0ea8d562afe71992aa054e98ba9c715f0bea48d939f98b171110a7aaffcd372d23e2816e

    • SSDEEP

      12288:zsB4GOFuvCfdDrklbm9QfwYUcTWQ5xQryR2:I4GOFCCFf4m9ESQWQDQ2Q

    Score
    8/10
    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Loads dropped DLL

    • Target

      Dropped Malware/REQUEST FOR QUOTATION_pdf.exe

    • Size

      1.1MB

    • MD5

      8f72ae5c3e68e643690aea36735a95bd

    • SHA1

      ed901f56acd0fdf9acf586ee84cd22469a92c285

    • SHA256

      e3f20d09ed34a08bc3a8c6ebf4bceb079c24229e8b7765a2e679a0ee4a6df28a

    • SHA512

      aee44099bb33d6a628221dcd1feb11ad537aa3d9ed76643368cd915758c8bad68e533b4b3a406c0b82b72ca0ee47ffc229dab849461eb473e2176f0b30894308

    • SSDEEP

      24576:5AHnh+eWsN3skA4RV1Hom2KXMmHaWQ7JttVeq4RqULd9DEEC/oWb5:Ah+ZkldoPK8YaWQ7J554FHao6

    Score
    5/10
    • Suspicious use of SetThreadContext

    • Target

      Dropped Malware/Transaction_Execution_Confirmation_000000.vbs

    • Size

      187KB

    • MD5

      37f090cc76db33c457b77c6b2c6bb13d

    • SHA1

      7c499fca1564ea4fb48cc2b72212bc3f857443ab

    • SHA256

      36e517cbfb12bd2e58446d7ae27d76baf3e454a793e8c629667fe067839ec23f

    • SHA512

      90aeb5b01c9309c49f35541d97f7532ed7a564fee986bf111a6f33bb41339e54f9972368179632ee5d6bdd8840811dc665a56ff5a26b159bbe764279f7be0de3

    • SSDEEP

      3072:VmN8GGebKjeK3ubth+DCFxKCvBB/WnHPP1w/sLJFJ281QIHz1y8mNy7Ey1MgKTZJ:V08GxbKja3+DCbKCvBB/WnHXC/sLJFJW

    Score
    8/10
    • Blocklisted process makes network request

    • Target

      Dropped Malware/faktura_7171503997·pdf.exe

    • Size

      648KB

    • MD5

      af7493a9e9ea9a5181ebc8ba0c3bb7bc

    • SHA1

      809de7c88d3a53a4ec803c37e232c12037c48911

    • SHA256

      a77c2d0242aa3601ba7b257ab9bdb4fcb717f64a8cd6da3178e517bb2843f2eb

    • SHA512

      214bef965ff2a8113c05fd371173c72fd94c36e9bfefc102858d2aab4c0f2c0f03773835405d1e489f5ce73243cb2b5b84d256a90d5cc5a8356dfce9b45b1226

    • SSDEEP

      6144:z9KOQS4B4GMSGJpFhsiivgUroam4nt5wf1CEH/+57/B0wU683FbyZc3q64drI1RJ:zsB4GOsPoamI4dCEm5750wUB3F+xxw

    Score
    8/10
    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Loads dropped DLL

    • Target

      Dropped Malware/ups_awb_shipping_post_26062024224782020031808174CN18240624000002624(991KB).vbs

    • Size

      187KB

    • MD5

      a408481803f47324f6479a3b70ad763b

    • SHA1

      1a3232aeec010ce287ea65dd1a24255f95470d48

    • SHA256

      4573cff18a16eacc05034a4de1e11330c71331b15169d4249e8b04f3ab67c2bf

    • SHA512

      aab87aee34a0c93381fb0fb926edc137ffced40bba470b15dd45b798aeab9117f5a4daf30932dccef13c5c898d80f626e18a1a65d8c10b2c111319bb781f341e

    • SSDEEP

      3072:dmN8GGebKjeK3ubth+DCFxKCvBB/WnHPP1w/sLJFJ281QIHz1y8mNy7Ey1MgKTZg:d08GxbKja3+DCbKCvBB/WnHXC/sLJFJN

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Blocklisted process makes network request

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      Dropped Malware/帳單發票_200548224648·pdf.exe

    • Size

      655KB

    • MD5

      76583ad77f92f7c21402dcf6e7a4b613

    • SHA1

      8b20685d00b9c729356f8b3d371da03b326e4a80

    • SHA256

      d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306

    • SHA512

      79c4a2621da0707c22a79b472a3a90f34debb6a9e1266ccf6826886646c9a1e495535ff800fccc08ac35531cce4e84f98b5b68afdf25e040bdc3e1720109fced

    • SSDEEP

      12288:zsB4GOFNFqtVK+NvRHTLii5BpGH1uF5BhZeizW0Ij3:I4GOnFqrnj5BpkO5/ZjKj3

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks