Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cf52051f68...01.exe

windows7-x64

10

cf52051f68...01.exe

windows10-2004-x64

10

dovhbys.exe

windows7-x64

10

dovhbys.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cf52051f68630359830c5b2d6c9b8ff3b6e95c5667238787f2972accc0bc0201.exe

  • Size

    251KB

  • Sample

    240812-mmq5saxcnr

  • MD5

    abf939bc3a20a604f88b1dd4399ca2d7

  • SHA1

    c656a5989a07d9b104c1eb144d4609d50264bee4

  • SHA256

    cf52051f68630359830c5b2d6c9b8ff3b6e95c5667238787f2972accc0bc0201

  • SHA512

    a623060911ddd9fd4ecd8725a9ef6324f391a46fd800fb425b3b2fe7f3affe9c8bfabb6f5b9b9b55aff49cdc24f610530889ba159014dd49974d1431b3797abd

  • SSDEEP

    6144:PYa6dVy0sCLFy97dXRusmcsTA1A05WntAI00cSz4B:PYRnnLFojusmBqCue4B

Score
10/10
originbotnetdiscoverykeyloggerpersistencerattrojan

Malware Config

Extracted

Family

originbotnet

C2

https://mmelak.com/gate

Attributes
  • add_startup

    false

  • download_folder_name

    4si50kud.vpv

  • hide_file_startup

    false

  • startup_directory_name

    pRcub

  • startup_environment_name

    appdata

  • startup_installation_name

    pRcub.exe

  • startup_registry_name

    pRcub

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0

Targets

    • Target

      cf52051f68630359830c5b2d6c9b8ff3b6e95c5667238787f2972accc0bc0201.exe

    • Size

      251KB

    • MD5

      abf939bc3a20a604f88b1dd4399ca2d7

    • SHA1

      c656a5989a07d9b104c1eb144d4609d50264bee4

    • SHA256

      cf52051f68630359830c5b2d6c9b8ff3b6e95c5667238787f2972accc0bc0201

    • SHA512

      a623060911ddd9fd4ecd8725a9ef6324f391a46fd800fb425b3b2fe7f3affe9c8bfabb6f5b9b9b55aff49cdc24f610530889ba159014dd49974d1431b3797abd

    • SSDEEP

      6144:PYa6dVy0sCLFy97dXRusmcsTA1A05WntAI00cSz4B:PYRnnLFojusmBqCue4B

    Score
    10/10
    originbotnetdiscoverykeyloggerpersistencerattrojan

    • OriginBotnet

      OriginBotnet is a remote access trojan written in C#.

      trojanratkeyloggeroriginbotnet

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      dovhbys.exe

    • Size

      202KB

    • MD5

      0bef3d69abb4fe0e2e175ce823b2aa55

    • SHA1

      aef3193926ef341507fc931c1b375e19eb872bd3

    • SHA256

      2e422f230bd4a88cc223995a131d6ce9316eea7087d84d059fc45a35af3ea26c

    • SHA512

      f49e671ed2e8d0e029a214ed0b80b88b2f671ef2d1fd4f49b5da2fa64dd2d4fe2e73f615734a2f5222a5c5627474c55f54dae2f90d9b95df3c08b55fea27fbf0

    • SSDEEP

      3072:0TkPSL1oCO72F8SgdU7sJJKGG/oADbA9McY2/mq3+Ag0FujqgA0e38:0IPSLSU8PdU7o0GuHAyc9uAOli8

    Score
    10/10
    originbotnetdiscoverykeyloggerpersistencerattrojan
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks