Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Clash.Verge_1.5.4_x64-setup.exe

  • Size

    25.8MB

  • Sample

    240829-cngydsydng

  • MD5

    3f614b108ea9c666bd8077f2637e31f9

  • SHA1

    c1603f4a77b5dd004f9d5f860362d2c797905304

  • SHA256

    e4642f6ecf8e2fd74dab5f966f6e7cac8cb0435c15dbe24ce8ac7e96708ca550

  • SHA512

    9034329b43551da10799b1564ef69b395e14c0e71e74d11585d65f15f4cf2cd413246fd69da7ef81344172fc6273606e9f040a0c49e84fb9d6a1d623ad0fda1c

  • SSDEEP

    786432:wweIwIow8KjeEpahVOE4gf2wKGtmuNU8Zs2Jp:ww9w/KDIfOngudGtmwU8C2H

Malware Config

Targets

    • Target

      Clash.Verge_1.5.4_x64-setup.exe

    • Size

      25.8MB

    • MD5

      3f614b108ea9c666bd8077f2637e31f9

    • SHA1

      c1603f4a77b5dd004f9d5f860362d2c797905304

    • SHA256

      e4642f6ecf8e2fd74dab5f966f6e7cac8cb0435c15dbe24ce8ac7e96708ca550

    • SHA512

      9034329b43551da10799b1564ef69b395e14c0e71e74d11585d65f15f4cf2cd413246fd69da7ef81344172fc6273606e9f040a0c49e84fb9d6a1d623ad0fda1c

    • SSDEEP

      786432:wweIwIow8KjeEpahVOE4gf2wKGtmuNU8Zs2Jp:ww9w/KDIfOngudGtmwU8C2H

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Target

      $PLUGINSDIR/ApplicationID.dll

    • Size

      198KB

    • MD5

      91c2e2f34b5bba068e9a6178e13a4e5c

    • SHA1

      affcac00894c9afd152e55d0bff7899349edcd6c

    • SHA256

      f6851dcbf0a39edecd8a46564bc455e5273736c3dbcb02b954c201c79ccdf117

    • SHA512

      ce7f629bc0e6e10eca9d671513062f353d8d47666df58c9ad7cc7f767df520b75b2da1f9d6551eae86c738455919463ec89a0c3dc2a8366fa021e6fa6e292000

    • SSDEEP

      3072:/1RnVZfr2qLTV4U3fKHzy/s3fyitDJXqtZnyj80mAg0FubAPl/IJ:/Hnzfr7HU6ipJaLAOKy

    Score
    3/10
    • Target

      $PLUGINSDIR/LangDLL.dll

    • Size

      5KB

    • MD5

      68b287f4067ba013e34a1339afdb1ea8

    • SHA1

      45ad585b3cc8e5a6af7b68f5d8269c97992130b3

    • SHA256

      18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

    • SHA512

      06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

    • SSDEEP

      48:S46+/nTKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mFofjLl:zFuPbOBtWZBV8jAWiAJCdv2Cm0L

    Score
    3/10
    • Target

      $PLUGINSDIR/SimpleSC.dll

    • Size

      1.1MB

    • MD5

      7b89329c6d8693fb2f6a4330100490a0

    • SHA1

      851b605cdc1c390c4244db56659b6b9aa8abd22c

    • SHA256

      1620cdf739f459d1d83411f93648f29dcf947a910cc761e85ac79a69639d127d

    • SHA512

      ac07972987ee610a677ea049a8ec521a720f7352d8b93411a95fd4b35ec29bfd1d6ccf55b48f32cc84c3dceef05855f723a88708eb4cf23caec77e7f6596786a

    • SSDEEP

      12288:fRdJsAp4dXFcLBz75cwoCmJKHwe6VuoH9v0D/LF5mM6:fBsmyVS151oCmJKE1dv0DX

    Score
    3/10
    • Target

      $PLUGINSDIR/StartMenu.dll

    • Size

      7KB

    • MD5

      d070f3275df715bf3708beff2c6c307d

    • SHA1

      93d3725801e07303e9727c4369e19fd139e69023

    • SHA256

      42dd4dda3249a94e32e20f76eaffae784a5475ed00c60ef0197c8a2c1ccd2fb7

    • SHA512

      fcaf625dac4684dad33d12e3a942b38489ecc90649eee885d823a932e70db63c1edb8614b9fa8904d1710e9b820e82c5a37aeb8403cf21cf1e3692f76438664d

    • SSDEEP

      96:h8dPIKJhMuhik+CfoEwknt6io8zv+qy5/utta/H3lkCTcaqHCI:yZIKXgk+cx6QYFkAXlncviI

    Score
    3/10
    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      cff85c549d536f651d4fb8387f1976f2

    • SHA1

      d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

    • SHA256

      8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

    • SHA512

      531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

    • SSDEEP

      192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr

    Score
    3/10
    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      6c3f8c94d0727894d706940a8a980543

    • SHA1

      0d1bcad901be377f38d579aafc0c41c0ef8dcefd

    • SHA256

      56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

    • SHA512

      2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

    • SSDEEP

      96:o0svUu3Uy+sytcS8176b+XR8pCHFcMcxSgB5PKtAtgt+Nt+rnt3DVEB3YcNqkzfS:o0svWyNO81b8pCHFcM0PuAgkOyuIFc

    Score
    3/10
    • Target

      $PLUGINSDIR/nsis_tauri_utils.dll

    • Size

      968KB

    • MD5

      0ba06473cec3f0e72fc6865d870b6bd9

    • SHA1

      16df1d1a5b4d5df3859447279c55be36d4109dfb

    • SHA256

      2b454443f12806d9e531e18bf19933c0aad1cd8ae397c71b99e814566e6bb5fd

    • SHA512

      42b3c4ce685afb43b8ba235b29919f7fdbc1997618b74d189817d14d1d80e52ea67f6e614d4097bce6ca53b90d46a6d6a54882cd2ea176134a308b64a2b882cc

    • SSDEEP

      24576:v2zSi+70fdjsUD5Y/CjsS5NpIMDcuHeoPffPJT1Qn652hOfuvNwRnkYkN2IO:ivm0TYKw8DnVbTwbBInkYkN2F

    Score
    3/10
    • Target

      $TEMP/MicrosoftEdgeWebview2Setup.exe

    • Size

      1.5MB

    • MD5

      2fbe10e4233824fbea08ddf085d7df96

    • SHA1

      17068c55b3c15e1213436ba232bbd79d90985b31

    • SHA256

      5b01d964ced28c1ff850b4de05a71f386addd815a30c4a9ee210ef90619df58e

    • SHA512

      4c4d256d67b6aadea45b1677ab2f0b66bef385fa09127c4681389bdde214b35351b38121d651bf47734147afd4af063e2eb2e6ebf15436ad42f1533c42278fa4

    • SSDEEP

      49152:Py+3n/URd7ygwxXXOMzrn7yOcIEjg0VonVl:PyaC75wxXOMzr7yOAyVl

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Target

      Clash Verge.exe

    • Size

      9.5MB

    • MD5

      499fdd71a2fd059cf6b60bd9fecfb688

    • SHA1

      461177473ceb01b845efbbe22cd3507e4cc1a25e

    • SHA256

      00121067ba92f12bd03cf5c293892b2f9eca1891ea14d0cf36be5c7095ca8b34

    • SHA512

      7dd403f879b50480dd07ac60906ae97f042db9ae28189593ffd7c5b972c38969b1595eba8c2611ef11f641839627378cfdeeb5cd364c1ef11527fc0472667ced

    • SSDEEP

      196608:lUfkc0vrVMLhgUKOc6+1Pqc7Unsu/jSYet:luk6LhVhcJqco/jSX

    Score
    1/10
    • Target

      clash-meta-alpha.exe

    • Size

      24.2MB

    • MD5

      b6d30103d72364c5c6b8b6101feec352

    • SHA1

      40843a86d6d2245ce18e24a4e4ccff3c665ae0bd

    • SHA256

      a495df4a19ff3001629b88d9beda766c6ce0f3c23d1d1fd8b72b2b26ee9406b8

    • SHA512

      8ebe762563736d825f065f5abbd274ccfd199fec0eec2689b340cdc53ffd3ee579fb4884e79859781c8abbb35374832f26ed8f25e38734973bbb3105595f4d28

    • SSDEEP

      196608:hn1onMipupttN/XVu674IQb20uPi9sWCZq:hnQMiYLH/HQq0uSsWC4

    Score
    1/10
    • Target

      clash-meta.exe

    • Size

      28.1MB

    • MD5

      f64dc3b8fbe0f8195acfdf144061f471

    • SHA1

      99da00a5e40cf1b6501329e2d05b10cce4571271

    • SHA256

      dff5634f57856309e141f5420fa18b586a2d9e6bee5c4abbc8605ea5cf2b5716

    • SHA512

      5a58de453a3f8d7a144fa1982c01c4a011794d4c98992c123c9b2809b59013a3b55b5893ed02c20410f33f7c2100cc36e91a59176ea71b43b8c17f68bdc745c9

    • SSDEEP

      196608:9OX08B8+gEjLi3TWd57Tco6eW0zAUDkDyIAEZw:9OX7B8+ZLi3TWTHDI0vI6

    Score
    1/10
    • Target

      resources/clash-verge-service.exe

    • Size

      810KB

    • MD5

      e55991f7c18f2a16cb34a76d29ff0a12

    • SHA1

      9d0a590daf3bf5a2ce4f9124619185b4f5fd3040

    • SHA256

      7545f1cf2cb477cd0ccb15d00f61e80eefc1b25ca834f8fdf1204338a83f4e68

    • SHA512

      bb6543a483bb2efccef87db7378ae81a622fb09af0fbc7e68fa2f84194e666f1addcc2d054ab321b7b1a4dd62966e83b716f54cfcb294bb9b116c93a952f6ec5

    • SSDEEP

      12288:V9eUsVlYFq1d5ozJeuDljRGm2vbdqC3EEuI0b6SQryZ:V9eUspJuDltedqC3p

    Score
    1/10
    • Target

      resources/enableLoopback.exe

    • Size

      95KB

    • MD5

      5d16400084f534535c922180c562bd70

    • SHA1

      20444c63a2e6ff17a1970f8af0744c0ccfdbb659

    • SHA256

      0ccf6f4b2f6e89ddb50b3075fd6b604ef7c0d6b13ce377781d898dcd8f9c91d7

    • SHA512

      b9dc50aac871ff81c54e000adb1de11c17aeea75fbc80afa5f025d1efe6c79acbfd05b5de6066f084ed0e26d4287c354984195e7aa134545846d371f84063bd0

    • SSDEEP

      768:izEI16zcI2eTcvEWm/ljPjOPAxr25znrSh7A8g3CqnZZ6qmmlGThRR2fTnR2fTT0:y1H5MiP1zrSh7JwZQxmlGKyn6hb

    Score
    5/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      resources/install-service.exe

    • Size

      151KB

    • MD5

      9733b9189a1e3337d42fb31ef4c9c17f

    • SHA1

      299db7b12c9f6511f27e3968a3f5f6e6ea4f04fa

    • SHA256

      aa575f832564c5e85beddb652f59dffc145f27f6db6f547dfa6465c7e4370b33

    • SHA512

      b14b47745898ff61943bba0c980a4273a78c22e5896d59fc881eb3c2d3fbdab03e87c88c35db7dd8e43e9ba58567420bc6554917d2de9940f6d47dd5b309dcf1

    • SSDEEP

      3072:UODshvuH5PifoioYnnBR8EefPsyHmW5O+2c+EFbfY:UObH5PiAiFnZe3GW32SFb

    Score
    1/10
    • Target

      resources/uninstall-service.exe

    • Size

      132KB

    • MD5

      a34714c81bcef05c7b1824c9753b8785

    • SHA1

      e73a244eb3cb12a08579b98d0b86c98fcbdf3611

    • SHA256

      9f32016f64c204bddd5b486833360290bc80e8b97e1485a66e57ca1db541e3e6

    • SHA512

      e384d4a41a4dd0c3feeeb6c89a217ea397274b207c3d76618843a48b574a171f6f71ca52ec4b1bf591a2f8573261e9bc6965071fa0435187a191b2e3bd20ab7a

    • SSDEEP

      1536:7DR0YxXfJuWwdEl+/JhB6n6hax6JTJ9Nfj4XBsgyYSqt/1iQdUkhLyPVBM3yG5kk:HJxXxuWajB6A11lqt1dSkMPVOjSi/Bf

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

discoverypersistenceprivilege_escalation
Score
8/10

behavioral2

discovery
Score
7/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
3/10

behavioral17

discoverypersistenceprivilege_escalation
Score
8/10

behavioral18

discoverypersistenceprivilege_escalation
Score
8/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
5/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

Score
1/10