Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
CyberDEV Client.zip
-
Size
55.9MB
-
Sample
240814-ggy1jsxfkf
-
MD5
ad556d641cf1b45dfa32d2cf7131c711
-
SHA1
d12ed4f1bba17f399d8221ff6964b049bfdf0955
-
SHA256
7b476bbfc4d37fa50c1c5bec98b2e8aede8087b8873eb7de27b78ad4446dddbe
-
SHA512
00def17b19fff0f5618da1ab01a97aa07e517c612b5a562b1acf5f5eaa3d2c7d83af5b468292e32c3db3f64452a7d75912446785c5fd63e46dc35645a8c33fef
-
SSDEEP
1572864:ify3jDn6crTEyjuHvRl8KQNKlCziTYcGHDX/nGYl/LxL6Ya:NHrTEpHvRl8VKlxzGS2N6Ya
Malware Config
Extracted
https://www.python.org/ftp/python/3.11.0/python-3.11.0-amd64.exe
Extracted
https://www.python.org/ftp/python/3.11.0/python-3.11.0-amd64.exe
Targets
-
-
Target
CyberDEV Client/lib/selenium/webdriver/remote/command.pyc
-
Size
5KB
-
MD5
307283633a2bc4518f649d02d8c5ddba
-
SHA1
6941e4f91a294f0228687a01692c12771d88a523
-
SHA256
292fa5eea227bb2d15109ecd3bc422d68714ab671a7d9b8946998b38a7229c09
-
SHA512
0980c22229bdaeba7c4277c7ed92b721a0ee4d3d7763de27eab679efd1100a394301d363a1e4db5ccb945c8cda4c3132f3129d1915d1ccb1dae192267801d1fc
-
SSDEEP
96:0ZpXjpIszI2NySTXjHPOJQKo12xUxHNNOpkRNTqOIOFyM848mNVOoT7V9OX13Nz2:qVjpvygTHPOJQHcxUxdTyHNinV9OUH
Score3/10 -
-
-
Target
CyberDEV Client/lib/selenium/webdriver/remote/errorhandler.pyc
-
Size
8KB
-
MD5
3130d50cd4a4be3b523587cc14fe0ab3
-
SHA1
f38e9bb41695b2cf43f02308d313202077d43607
-
SHA256
8baa518d72a1fdd8a61d7c6e28b0b2bd709cc4b4ebc6a0c4f57d8cf75ed2620c
-
SHA512
96b24a4c85953fb26001bf20418aacbd4e68a3d1721ffd68ba4231801d5d36085a3049ea0601b984ad747e07244731119e3605d7fd0cb2e76006b5c9f44b8a50
-
SSDEEP
192:gi8qUGzqYl8Z9pm+twGPse57RoXyef2V4WT/zLdSf9yd:d8NG+/xxEf2VNIf9g
Score3/10 -
-
-
Target
CyberDEV Client/lib/selenium/webdriver/remote/file_detector.pyc
-
Size
2KB
-
MD5
87d6c3be641933bf41e627b32e8a48c9
-
SHA1
b322fa4dbc38547f493acf79abd93217aac1e32b
-
SHA256
49d0bf158ca9fb2f3ee40197bdcaf5c005d7e6c2cee4e084b9e989f74b29aecb
-
SHA512
a8db1c7461ab84490bbc7ede93350f82d8f2fc09356996bdd4869e6483aa454f82f06cfa3561b6c44938dd932baa318b73ea836bdaf2db6c38726fe0986ea74e
Score3/10 -
-
-
Target
CyberDEV Client/lib/selenium/webdriver/remote/findElements.js
-
Size
52KB
-
MD5
a5e246e5b9156c0e64a17e53e73671e6
-
SHA1
307a4a0ef42b004a844037d60275a9af94786709
-
SHA256
f34a83998d38484de801c7d97d32574dfbbd5213968c78a6085f0b5c368f9fad
-
SHA512
aa97373aeacb1a437818469d0bc96bbfc9a9590c02e736f4ff86c3f3760066ca92bc981d8e830eb866e929d22083febaf0d8366558f4b4ff4870f0f5491d2063
-
SSDEEP
1536:AXJFPWr+DEqXMn9XM3UkGdEMT8TZZ/6QSsdbj3SYKlnJ+S/Bf:ITU7dW6QhbrXS/Z
Score3/10 -
-
-
Target
CyberDEV Client/lib/selenium/webdriver/remote/getAttribute.js
-
Size
5KB
-
MD5
e02d070d6419978d26f2d771541f79a4
-
SHA1
53efb9c65d5eb60850225313c5251a68bdef6476
-
SHA256
df3f5a60c6ae1c5b35760c0389f299406e14ec3b68ba6ae0511ce18cb7c20cff
-
SHA512
dd459bba00feece414f8bc7546927b5019f84c12cb58041ba85e22f7a8a9501723a0fd9b9d6c900469983e81d8ee84c6426a8906ac794c673fe2b6ecbf84a75f
-
SSDEEP
96:pSRH16yveW8EDrQN3N72l17l0qoIeqlr/yZStiZMxzWJ2ssKPhBX54UctJOJK:pSRH16yvfgN3NW1DoI2ZStzaJzsKPf8V
Score3/10 -
-
-
Target
CyberDEV Client/lib/selenium/webdriver/remote/isDisplayed.js
-
Size
16KB
-
MD5
242b20671aadeb2edcf5c0394686cf40
-
SHA1
926ae986a71aeefe20dbf23d47437f5f9a6fb186
-
SHA256
c47a1d83321abd87bf054c80a4db4912108cf0af151958a1e563e57f9bd7fd56
-
SHA512
53aeda4b6bcf8616704c44619aa123dba3e5455817bd8d7145e0395a77ae204f33ee4832407e3fbb3fbd0be3c779d20173e941ebe9481774e9c5d503ead07776
-
SSDEEP
384:mSTsGtSMMC6tR69PEMzX5iNTLWO5hHaEhgNTOp77X93zS+trehT/qT:mwn56tR+icT/qT
Score10/10-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Powershell Invoke Web Request.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
-
-
Target
CyberDEV Client/lib/selenium/webdriver/remote/mobile.pyc
-
Size
3KB
-
MD5
910d8cba2873be53dc7b9be0794237ab
-
SHA1
9241a55557d36eaf2479a64d689ba0c8d1403357
-
SHA256
90d57e8cbe54c0e4ad3382ad8ebeb79e5c25b1aec7bdf385fcf11839eaf3e08b
-
SHA512
2423a26f24aa7d37aaba2e6cb6d8913161b6b130f9f67d19d740f98c248a5c08c45e13721fbafc289cb82dbb698b921fae8903db571694bc60094f219e15790d
Score3/10 -
-
-
Target
CyberDEV Client/lib/selenium/webdriver/remote/remote_connection.pyc
-
Size
22KB
-
MD5
3e3051750eb79c9e0bb75f225c33cb62
-
SHA1
3fc51d54a357e9b51c6ac2ad2d14145499037a84
-
SHA256
dbe6a4386ba87833f2076f6dc6122d5073defd42681d18ee931219a6bfef92a0
-
SHA512
95b780ad8e628f975a0c33fb492f70fea4ea319d603f9c84ecc5d10daf3f7268f6eea7e743f378cdd7b548a3be1177e421e2b576b967cc51a73abfb08b1d9629
-
SSDEEP
384:eRfgZgleqsU1W2frvujwA9AOZASmWn2boukdjAoFVxDjNB4ypF:3qleqsUVjOT3BmljKcDypF
Score3/10 -
-
-
Target
CyberDEV Client/lib/selenium/webdriver/remote/script_key.pyc
-
Size
1KB
-
MD5
288c6b352dee51939973a5e33999fe08
-
SHA1
700e55433a827af75b6530018cda35a00cb24f2d
-
SHA256
3758f9a4f71d89cd887725e8ab94c083f43e5414f06ce4398687c02a54004bd7
-
SHA512
227ef8113860720eabc8a53d9111f7c0ff6b4e427f8573a903e1f397fa352a2a1567d5a11e8935245f984f1d1cbfcb18380e7aa4b8c0b9cc41f68327170abe7e
Score3/10 -
-
-
Target
CyberDEV Client/lib/selenium/webdriver/remote/shadowroot.pyc
-
Size
3KB
-
MD5
9a6e43648c698d8e00ea626b2487ce97
-
SHA1
c292ce9d88fe4e3df2ba14c926b290c1c3ca9918
-
SHA256
b26741176f75f8eaf2cb0c542b1f4fc8d91feacc94b6ec82148de60108ccb529
-
SHA512
ef32fc445f3c7c883456f5467ccc683041284d73e9c3a61ea9db9a3358fe58001a0505f309500d23981f0e5a2e87ca3021cf8ee53135443c65bd162ab4006ee3
Score3/10 -
-
-
Target
CyberDEV Client/lib/selenium/webdriver/remote/switch_to.pyc
-
Size
6KB
-
MD5
a4f7f1c03bd23323e9cdbbea8fe2f5a7
-
SHA1
a7155b2fc34773b580f8078e9bdee6f0eaef79d2
-
SHA256
55056bbe51592d0bee90042dad783e6fdf6f97cbf577530d625cc5db9dcc18ac
-
SHA512
70150fd0f85d7fbf4860be8720b50db49eee80460d7a15648720fe23f7473c2990054bef3a772dd156b7f54be309d384c558db48e304267328d1dd026da37c23
-
SSDEEP
96:3T7isYn4mI+5QvCokxPXKvj5ywAjup1zPewd5zwKky:j7W4BwQvwXGAjuLj7iy
Score3/10 -
-
-
Target
CyberDEV Client/lib/selenium/webdriver/remote/utils.pyc
-
Size
727B
-
MD5
c5b0c9d4946cbc737967509e6c83db1b
-
SHA1
6814fa7a5b243143ccf3624bd08f31fff836cde8
-
SHA256
796ea27fba24f8c0b79e88fb831b4a44c6e1fc18b9785d23e357bbab47f94b09
-
SHA512
15a46870cc614ba1b593cb06679faaf6f21f5b4c32c15012197ea9041f9ce85d793e36e0183d4fe90a688c8cc619595974587350dc037db11dcf93ea3c04dea3
Score3/10 -
-
-
Target
CyberDEV Client/lib/selenium/webdriver/remote/webdriver.pyc
-
Size
55KB
-
MD5
6755f3811ca78c00cb01406d6e7e8ff4
-
SHA1
021dbd7815b4a02aa7fd133a8402f5c36dc7567c
-
SHA256
c241db147dc9656fdf7e6a693a3b85b23e5c2b5ef908450b02215fd117f3f9ed
-
SHA512
f936c53cc71be7d2098d4ef40b8bb35ca4c28e48d52d45030aed436068cbabc879a5efc10eb276bbca2381feb7913176cd6bfe7180c9275f3ffe6be78f1968c2
-
SSDEEP
768:2uOLuxo4lDgbjYS3vX2kxEJXV6X9TtFEpnuYBuE5lXT5sqHb8+n7EdwIi:2soIR9lX4XHKpuYBuE5lj5H78+nD9
Score3/10 -
-
-
Target
CyberDEV Client/lib/selenium/webdriver/remote/webelement.pyc
-
Size
21KB
-
MD5
9d53b34deaa155ccd5a9daaa0c1b46f0
-
SHA1
eb20d3e302a5681dfed1a7f901acc13f92c10851
-
SHA256
3bf5e7a87580424db227528e304bce35388cfc31f30742c3e91e63d849fc35fa
-
SHA512
9347d8b8155077ddb5f8379436d4f680c1f5fcfe9096bdedff245daebee5616e7ecf64ac447ee243107d5e7d6a5e153ca8dea1320ce31062f6bb7fa507e874a8
-
SSDEEP
384:ZIYdzhjJ8mreOCTkVUwTMDhdGiahhq92pWo6yuZoBK:ZIYlhjJ8mreOCYOwKWVTq92pH6yuZoBK
Score3/10 -
-
-
Target
CyberDEV Client/lib/selenium/webdriver/remote/websocket_connection.pyc
-
Size
7KB
-
MD5
e3b2213e4d662d74d8676cc7c9511b39
-
SHA1
4ad9e652cbb840e84d8ae0c5127a65dc61491f2b
-
SHA256
542ce0231cded5ce351632d136c108f74ccf9c39574385b47a1c2f480dd26ad1
-
SHA512
098f85b6916823f2c0b0ff1fad3b3e5a184f37cbea59abe8c124f6095ce7348f29d76525c460d3c59fdff9d76c756b98d0de60e1acf93101172489dae819a61f
-
SSDEEP
96:ahqgIierjGA6kL9Gwv2e5D9hSDtzJg/4B9NnStkere:WqQHOxJ9+tzJuqeK
Score3/10 -
-
-
Target
CyberDEV Client/lib/selenium/webdriver/safari/__init__.pyc
-
Size
205B
-
MD5
92b666552031db73604c2d0a3a905919
-
SHA1
9cbc8044f6ac0dea3b9752a4c81faf08d96532fa
-
SHA256
6303aeb5b2c80c55783599899b568ceabe6f66739a6c6a380f1260943e04e3ba
-
SHA512
adff07f60f132e256a943c9f344e3c689a1e6967728c9dbc4313a10a1890a23352a9fecaf91fc97f602f7de2cc0edc4bf6b4dda946e550c3aac77d4720062b38
Score3/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1