Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Dropped Malware.zip
-
Size
9.8MB
-
Sample
240703-2z1bjszhqr
-
MD5
d0581ce7e9911fcd2a002891bde2aa99
-
SHA1
f0c26a67290790cb04d6d8518fb1ca45350ea593
-
SHA256
49042e86af4503a917b8408c4faab2759688065a429015a2c90430fa7371291f
-
SHA512
8363e7e3b2cd0f7354667bb50eba432219e261a35e21edfa8688e1cc36abe22da25ae6c8019222aec24f2ba248f817dd60c081efcf993302f370e7a6a084a9f0
-
SSDEEP
196608:Lq06dZiAS83wMTzBEOv2hFjQLTemwT9BlCljndX5OoGEFBZEbQB8HsK:QL3PEE2hFj+Tyv+ndlIbQB8H5
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.anp-aquarium.com - Port:
587 - Username:
[email protected] - Password:
csl53971@ - Email To:
[email protected]
Extracted
remcos
1218202300
softwareupdatexkwre.duckdns.org:45682
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
hdgd-8HWPTM
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
agenttesla
Protocol: ftp- Host:
ftp://mail.hearing-vision.com - Port:
21 - Username:
[email protected] - Password:
LILKOOLL14!
Targets
-
-
Target
Dropped Malware/01622664c6bf1a51484157d73fb4a42f.exe
-
Size
106KB
-
MD5
01622664c6bf1a51484157d73fb4a42f
-
SHA1
31ff8fb02c3ee252dc497f3768c236d5ccc71199
-
SHA256
4a69a64d652063b65cfe7f7ad5e54491b06547c783d74147c79cb9145536cf26
-
SHA512
378c7afb1186edf12fb0ee9d453d36ca260359e1a666b9b4f0141d62650956918efeaf38de7c7671e5aa4efad3f92b04d0d6696abe84a4c2aff7a916d3ca53c3
-
SSDEEP
3072:wGUSliz0dH2QskPV6+Mt/5z8SyIW+5Iy5iFjEd0twj:lUSlfB9skPVEtBAc2y5iS0aj
Score1/10 -
-
-
Target
Dropped Malware/1.exe
-
Size
76KB
-
MD5
5f9a82f873e71e023fa72a03c6f91bb5
-
SHA1
511174a6e1d7a4c8450bc4ba8a0c8cd813419960
-
SHA256
8c13fdcfeb87abd390f487e9d51d7edcdd6073951a5f96e5c0b1f7d899874932
-
SHA512
b953523757a91dac93ebe8dbc194b89a5bf62d7b89d628cc73a99f37cfc227f463a2928189752c83f7b8355c7abb985317a75e8c6d1372849569763323e64cb6
-
SSDEEP
1536:HQGUSliUwsf2aH2CyQwvN6sWLLb291q6+6EKft/B6CLP8SZstBkqPyB6:wGUSliz0dH2QskPV6+Mt/5z8SyIW+6
Score1/10 -
-
-
Target
Dropped Malware/BNP DOC 12578945329763-7633562829.exe
-
Size
2.1MB
-
MD5
864ec5148797f4e02d42e1bccd9a6fe7
-
SHA1
bc0a0146ef1d4fbab0b1a75c82cc45bbd94b4f2f
-
SHA256
0ec61eda09a5b90027808d2295a193eb7a8e81d440e5460d00a69328c2f9ee81
-
SHA512
13e2bc609ac3fe021b39ffb783d7dda07eb5028752cc22c4adf0363b23624c92618b83b913e95bbc8c854341eb2fc8be5bf6903699031623a8a50b167b593f49
-
SSDEEP
49152:nOD+bTI6YTDml4HJPHDQkOBU0f9iygcrxZ3aU5ZNIrRo2ht1W1cvkN8TCiJ5QtbF:Gv85wDJ5QtB
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Suspicious use of SetThreadContext
-
-
-
Target
Dropped Malware/Comprobante de pago_978989689.xla
-
Size
170KB
-
MD5
d0055b08c9a93f662b3a234a984ceb2f
-
SHA1
8c6df2ae8820912744ce8b717604399bbde46a66
-
SHA256
7203e2e674817c3cc2080d810a2e09323100163a1bd8f8d4ffbf5b9b1729b9c1
-
SHA512
d01d458aeac1c9d027b05af24e51984004d3800d658af7e77798e8352059db2c22377775c7cadf94940b8c4622f501181c40006193d7bf96f97dceb041d1b88d
-
SSDEEP
3072:y8tq3KR9pLmLX6MOXG0A6OM1Qr6tjtmTgY3A1bPjbw2wB5bFJvqNX:y6NCLX6b2ctjtmT5uE2wB5vv4
Score1/10 -
-
-
Target
Dropped Malware/Document BT24·pdf.exe
-
Size
651KB
-
MD5
55d49f5f1c74dc50dd5ca4b0298a9e5d
-
SHA1
594dd375a711937812fa7c93ec57eed34fa50edb
-
SHA256
aac1416d21318d7eec4ecc4e87d91cfbee0b5d569ff9642070c9947c4c59265e
-
SHA512
774ca13ec168e3fe9da983cf6055852c61d39a893b620c5de8e65e725b28baadebe0a5e0b92ddfe9e41dafa4c0d29221b6fe2e4457544618d2ae47c15f5a9790
-
SSDEEP
6144:z9KOQS4B4GMSGJpFhm0fwtOiCB+VlFbdu3ucUHJxk1p8Tl82nRDJE6pYIQZA:zsB4GOVyquXY1E8obE6pYO
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Loads dropped DLL
-
-
-
Target
Dropped Malware/Jailkeeper.exe
-
Size
858KB
-
MD5
c7eefc30a9cdc5bab3269cefde2d221e
-
SHA1
27914bc81bdc74d9607784d9e239f5437b1e8cb1
-
SHA256
2a089fc9b24c5253a913526be0ac2ee62b911a96645cb70885d678c91dcb83c9
-
SHA512
fce33213726f84946162e2c115f67dc4dbfe60af9ca6b6ceb75d576f9370abc98ed0309acf617a2c6f34ffc023632ce1b32391716190980aceb4af84dce3798c
-
SSDEEP
24576:XcIjUna3iVPF+zgyKKht6APjMtiVBsRXRU:kbF50httQbi
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Dropped Malware/LHDNM TAKSIRAN 2023·pdf.exe
-
Size
639KB
-
MD5
0609cbf05b1169cd11a37910df2d74c0
-
SHA1
7d2dd3c50535783bd6d2755c3fa9b9f810c12f13
-
SHA256
798354959e95dc35440eb858765cf22e9e16b7577bba1b637b554aeb27fe86dc
-
SHA512
d1874d83b1b1f6765af5806564cd039cdd0ea03d149c58bff9deccc8d7c1587c46e8681ca00c3ec14801bab23a9b984f9fc1e8438608d415571dadc7ab3de576
-
SSDEEP
6144:z9KOQS4B4GMSGJpFhaI27ySqUawlTFEHhq9/GtGOzx65MTOjbpUYpVslMDRkQZI:zsB4GOaJ6UrFh/GtGOzQ5MTOjb9pWeA
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Loads dropped DLL
-
-
-
Target
Dropped Malware/Order 000293884849900.exe
-
Size
867KB
-
MD5
bac47ab495ba1e8f2d5aed655ce5b255
-
SHA1
5fd56170add16e9e7fabe8683251d55e28e95e3e
-
SHA256
1d8f40654fc90da579349546b0c74fc7334ad8a6fcbf21f87815715e644950d1
-
SHA512
34fb9092b82774fe5495a35bd5da9546a283645a66c5e236b7e8103df946190b1cc42d7fd1941afa45e0f30f2c700d517756bf08cd8b4e36df2069a917d4dfd1
-
SSDEEP
12288:XcIjd3nQIQsk3na+Qi9lO7raaXyH1JAnItJFxFm8RLbNk388mYpATkFRs2/mA8:XcIjUna3iDzGw1+ItbfNI38DYpATGshB
Score7/10-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Dropped Malware/PO 903886563 PDF.bat
-
Size
3.3MB
-
MD5
617c9a6889d4ff7ddb750572820c92ca
-
SHA1
6d6eff808d2cef7d5e9e4d080732dd1af1d0df59
-
SHA256
3fae97aaff7c1019e9c999a6d7cc3878dbde9f457b7e89b25081c519183b282d
-
SHA512
d9a04b2e24a5ec6e53ce295796ea82b954ee0338209384f4aa3e963ef80cffa44d40188245e1a064ff734beb99c7b2a4e953a2beaa02d7a598c07c8988103947
-
SSDEEP
49152:KVVV5AimK+13kDHc1Fc0sUiXltqXZ0IdSMvnH4db2G7+:l
Score8/10-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
-
-
Target
Dropped Malware/PO2024-0961.exe
-
Size
1.2MB
-
MD5
72f3a4a4cc00e2b6f64e0a204678de73
-
SHA1
9abfc40bb6c14ab8414a2a5990b7efbb90073b22
-
SHA256
c10e5f7f008da5ed2a5b08326d57e7d6b052644df78facc7bbdca7b0ed366254
-
SHA512
a0d33db745e247c63c2315c55c004b5e25e86b45ad454adc2c4121dbac44dc3418cec4ebf790c039b71f00668881dd66b83a87448eab3b83e06ea7ffe8b4c111
-
SSDEEP
24576:RAHnh+eWsN3skA4RV1Hom2KXMmHaehqzGtIK+5i5DrgNV7N5:oh+ZkldoPK8YaehFyx5IDrU
Score10/10-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Drops startup file
-
Executes dropped EXE
-
Modifies system executable filetype association
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
-
-
Target
Dropped Malware/PRODUCTS LIST pdf.exe
-
Size
541KB
-
MD5
32c4e05aa7f5a3db58952fc06a00431d
-
SHA1
db05864bb7349e3e4cb35d51a03c7110d049fa8f
-
SHA256
a745afdd5cb81567de1560ead34145f713b7894058aa2097d755bf5d09b9d34f
-
SHA512
88880e24e35ca74001b9e20599c8bab3f11f37b200d14517a2a985adbc0f20247538c5d2646d2f6bdaac4d72fbb35f36e38ea5386c323d4b0881ddd7b4c52f3f
-
SSDEEP
12288:l99glhxbCawPRlsp8UQnF6mYlBNS61kf4mQKBWQ2:lGwJH5nEtS61MnQKBWQ2
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
Dropped Malware/Product Inquiry466789.xls
-
Size
464KB
-
MD5
9a188fc2dccb4a90c872e16259462fa7
-
SHA1
e56151f5e64aadedc0d4b173041cace2f8edf246
-
SHA256
3a7d034a793a0f03dc9930446aebf326320140584eeb171909962ec7123f9e5e
-
SHA512
090eeeb19d56668615c4efce2ab06e547e9ecec0f5f7e629afdeb1008db8644357b35230ff574c74c0be05c273dcdc7bd3ce5ae4ae545d27b3dc442101785c63
-
SSDEEP
12288:8uyqFzu4L0o37h6NCLdyJa9xeBDh8UTxDyJ:8izu4L0I96NCRyJa9xeBDlT
Score1/10 -
-
-
Target
Dropped Malware/Quote Request (Tupy S.A.) 523AM - 924BR·pdf.exe
-
Size
648KB
-
MD5
93a658e985408e0538044b8b91a2729c
-
SHA1
c1f250915cb43fc6a46d29dc28a1f09881fe0ded
-
SHA256
1789a36b829cd09dc4fd24323a0d1bb900494714b4cc7083af651630f2c42d2f
-
SHA512
5337c140a778e4ababf7dd82fcd280feb2a7e9e9db981c7fed1fff9c0ea8d562afe71992aa054e98ba9c715f0bea48d939f98b171110a7aaffcd372d23e2816e
-
SSDEEP
12288:zsB4GOFuvCfdDrklbm9QfwYUcTWQ5xQryR2:I4GOFCCFf4m9ESQWQDQ2Q
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Loads dropped DLL
-
-
-
Target
Dropped Malware/REQUEST FOR QUOTATION_pdf.exe
-
Size
1.1MB
-
MD5
8f72ae5c3e68e643690aea36735a95bd
-
SHA1
ed901f56acd0fdf9acf586ee84cd22469a92c285
-
SHA256
e3f20d09ed34a08bc3a8c6ebf4bceb079c24229e8b7765a2e679a0ee4a6df28a
-
SHA512
aee44099bb33d6a628221dcd1feb11ad537aa3d9ed76643368cd915758c8bad68e533b4b3a406c0b82b72ca0ee47ffc229dab849461eb473e2176f0b30894308
-
SSDEEP
24576:5AHnh+eWsN3skA4RV1Hom2KXMmHaWQ7JttVeq4RqULd9DEEC/oWb5:Ah+ZkldoPK8YaWQ7J554FHao6
Score5/10-
Suspicious use of SetThreadContext
-
-
-
Target
Dropped Malware/Transaction_Execution_Confirmation_000000.vbs
-
Size
187KB
-
MD5
37f090cc76db33c457b77c6b2c6bb13d
-
SHA1
7c499fca1564ea4fb48cc2b72212bc3f857443ab
-
SHA256
36e517cbfb12bd2e58446d7ae27d76baf3e454a793e8c629667fe067839ec23f
-
SHA512
90aeb5b01c9309c49f35541d97f7532ed7a564fee986bf111a6f33bb41339e54f9972368179632ee5d6bdd8840811dc665a56ff5a26b159bbe764279f7be0de3
-
SSDEEP
3072:VmN8GGebKjeK3ubth+DCFxKCvBB/WnHPP1w/sLJFJ281QIHz1y8mNy7Ey1MgKTZJ:V08GxbKja3+DCbKCvBB/WnHXC/sLJFJW
Score8/10-
Blocklisted process makes network request
-
-
-
Target
Dropped Malware/faktura_7171503997·pdf.exe
-
Size
648KB
-
MD5
af7493a9e9ea9a5181ebc8ba0c3bb7bc
-
SHA1
809de7c88d3a53a4ec803c37e232c12037c48911
-
SHA256
a77c2d0242aa3601ba7b257ab9bdb4fcb717f64a8cd6da3178e517bb2843f2eb
-
SHA512
214bef965ff2a8113c05fd371173c72fd94c36e9bfefc102858d2aab4c0f2c0f03773835405d1e489f5ce73243cb2b5b84d256a90d5cc5a8356dfce9b45b1226
-
SSDEEP
6144:z9KOQS4B4GMSGJpFhsiivgUroam4nt5wf1CEH/+57/B0wU683FbyZc3q64drI1RJ:zsB4GOsPoamI4dCEm5750wUB3F+xxw
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Loads dropped DLL
-
-
-
Target
Dropped Malware/ups_awb_shipping_post_26062024224782020031808174CN18240624000002624(991KB).vbs
-
Size
187KB
-
MD5
a408481803f47324f6479a3b70ad763b
-
SHA1
1a3232aeec010ce287ea65dd1a24255f95470d48
-
SHA256
4573cff18a16eacc05034a4de1e11330c71331b15169d4249e8b04f3ab67c2bf
-
SHA512
aab87aee34a0c93381fb0fb926edc137ffced40bba470b15dd45b798aeab9117f5a4daf30932dccef13c5c898d80f626e18a1a65d8c10b2c111319bb781f341e
-
SSDEEP
3072:dmN8GGebKjeK3ubth+DCFxKCvBB/WnHPP1w/sLJFJ281QIHz1y8mNy7Ey1MgKTZg:d08GxbKja3+DCbKCvBB/WnHXC/sLJFJN
Score10/10-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Blocklisted process makes network request
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Dropped Malware/帳單發票_200548224648·pdf.exe
-
Size
655KB
-
MD5
76583ad77f92f7c21402dcf6e7a4b613
-
SHA1
8b20685d00b9c729356f8b3d371da03b326e4a80
-
SHA256
d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306
-
SHA512
79c4a2621da0707c22a79b472a3a90f34debb6a9e1266ccf6826886646c9a1e495535ff800fccc08ac35531cce4e84f98b5b68afdf25e040bdc3e1720109fced
-
SSDEEP
12288:zsB4GOFNFqtVK+NvRHTLii5BpGH1uF5BhZeizW0Ij3:I4GOnFqrnj5BpkO5/ZjKj3
Score3/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
3