Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

zeroroblox...UI.exe

windows7-x64

7

zeroroblox...UI.exe

windows10-2004-x64

9

zeroroblox...ook.py

windows7-x64

3

zeroroblox...ook.py

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    zerorobloxmain.zip

  • Size

    8.2MB

  • Sample

    240819-zmdwnsvekh

  • MD5

    046cde54d44485f022792447c2fb06cc

  • SHA1

    3a1d88bd5ca223b0260ead31e2184c07059f56dd

  • SHA256

    8a0ebabd9ad0d5314b1a04c30d3fc972ed5a8bb8cf5c8e045e497373ba6f066c

  • SHA512

    108068a048df338c8129a449796f63c0e4b1cc5a2df82343afb12cefa1aaf17e9a32819210d2ecf49b4eb7d3aecf9f8e9baee6d0db18451a769e62c230cce63b

  • SSDEEP

    196608:2pMJ9t7od/1Hj3LCryBfqDh3kRf7/RX/fw+Pvmyydrl:2pMJgdN2yYDh05LRvo+PvnCZ

Score
9/10
collectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationpyinstallerspywarestealerupx

Malware Config

Targets

    • Target

      zeroroblox-main/Build-GUI.exe

    • Size

      8.3MB

    • MD5

      d323bb28562b2fdc19900b81952d6c8e

    • SHA1

      8674ba3aa877b48bcbf29f8c1d6397e791274e15

    • SHA256

      a8ed69495497337c77cc6512d3a0975960fcc2466420bbe57c819c3f15d5565e

    • SHA512

      2d5311ca5aacd7ae789d9fc2a7f7ce1d4de9b2f779848bf2d741dca210b5d456246201c172ce6042dc192117b9c36a7558209c2919289e2c7c0f905e7010fe51

    • SSDEEP

      196608:EFZpb7KX/BdvZ/eNWPfm/pf+xZudXRR7h5CrfOMWZQ:AZYXpIWm/pWvuVRFPCrf/s

    Score
    9/10
    upxcollectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealer

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral1behavioral2

    • Target

      zeroroblox-main/webhook.py

    • Size

      1B

    • MD5

      68b329da9893e34099c7d8ad5cb9c940

    • SHA1

      adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

    • SHA256

      01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

    • SHA512

      be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Process Discovery

1
T1057

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks