Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3B3RAP Leec...er.exe
windows7-x64
8B3RAP Leec...er.exe
windows10-2004-x64
7B3RAP Leec...et.dll
windows7-x64
1B3RAP Leec...et.dll
windows10-2004-x64
1NETFLIX Ch...ER.exe
windows7-x64
7NETFLIX Ch...ER.exe
windows10-2004-x64
7NETFLIX Ch...ER.exe
windows7-x64
7NETFLIX Ch...ER.exe
windows10-2004-x64
7NETFLIX Ch...er.dll
windows7-x64
1NETFLIX Ch...er.dll
windows10-2004-x64
1NETFLIX Ch...et.dll
windows7-x64
1NETFLIX Ch...et.dll
windows10-2004-x64
1Proxy Chec...ER.exe
windows7-x64
7Proxy Chec...ER.exe
windows10-2004-x64
7Proxy Chec...ER.exe
windows7-x64
8Proxy Chec...ER.exe
windows10-2004-x64
7Proxy Chec...ck.exe
windows7-x64
10Proxy Chec...ck.exe
windows10-2004-x64
10Proxy Chec...er.dll
windows7-x64
1Proxy Chec...er.dll
windows10-2004-x64
1Proxy Chec...et.dll
windows7-x64
1Proxy Chec...et.dll
windows10-2004-x64
1Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 02:27
Static task
static1
Behavioral task
behavioral1
Sample
B3RAP Leecher v0.5/B3RAP Leecher.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
B3RAP Leecher v0.5/B3RAP Leecher.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
B3RAP Leecher v0.5/Leaf.xNet.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
B3RAP Leecher v0.5/Leaf.xNet.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
NETFLIX Checker Account By X-KILLER/._cache_NETFLIX Checker Account By X-KILLER.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
NETFLIX Checker Account By X-KILLER/._cache_NETFLIX Checker Account By X-KILLER.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
NETFLIX Checker Account By X-KILLER/NETFLIX Checker Account By X-KILLER.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
NETFLIX Checker Account By X-KILLER/NETFLIX Checker Account By X-KILLER.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
NETFLIX Checker Account By X-KILLER/SkinSoft.VisualStyler.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
NETFLIX Checker Account By X-KILLER/SkinSoft.VisualStyler.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
NETFLIX Checker Account By X-KILLER/xNet.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
NETFLIX Checker Account By X-KILLER/xNet.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
Proxy Checker v0.2/._cache_Proxy Checker v0.2 By X-SLAYER.exe
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
Proxy Checker v0.2/._cache_Proxy Checker v0.2 By X-SLAYER.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
Proxy Checker v0.2/Proxy Checker v0.2 By X-SLAYER.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Proxy Checker v0.2/Proxy Checker v0.2 By X-SLAYER.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
Proxy Checker v0.2/Proxy Checker v0.2 Crack.exe
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
Proxy Checker v0.2/Proxy Checker v0.2 Crack.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
Proxy Checker v0.2/SkinSoft.VisualStyler.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
Proxy Checker v0.2/SkinSoft.VisualStyler.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
Proxy Checker v0.2/xNet.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
Proxy Checker v0.2/xNet.dll
Resource
win10v2004-20240802-en
General
-
Target
B3RAP Leecher v0.5/B3RAP Leecher.exe
-
Size
7.6MB
-
MD5
daf410cc495219fe8ac9a02712ad3684
-
SHA1
e8105b282d9c6f5ec146a138fa899675441419b8
-
SHA256
51e36fe50f5cc439b8a275571b303fab85d4beb430abefb578a6ca5226c17601
-
SHA512
1ea3f87e39cbbbf125602294fb9fd4b713bfb5b16ade2f503a4be84f6d8c123830edb626b02e6a7d1a344dd46134cb240c6c70fd7a5ab129e3d1b507a8ba8773
-
SSDEEP
196608:CLwIMmXE6d1CPwDv3uFgsLsv13uFnCPwPnhwn59OIl/3igTlBCKgx:CpTXE6d1CPwDv3uF1Lsv13uFnCPwfhw8
Malware Config
Signatures
-
resource behavioral1/files/0x0005000000019586-95.dat behavioral1/files/0x0007000000019586-117.dat -
Executes dropped EXE 3 IoCs
pid Process 2104 ._cache_B3RAP Leecher.exe 2996 Synaptics.exe 2800 ._cache_Synaptics.exe -
Loads dropped DLL 5 IoCs
pid Process 2980 B3RAP Leecher.exe 2980 B3RAP Leecher.exe 2980 B3RAP Leecher.exe 2996 Synaptics.exe 2996 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" B3RAP Leecher.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B3RAP Leecher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x000b000000012256-4.dat nsis_installer_2 behavioral1/files/0x0004000000019542-13.dat nsis_installer_2 -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2648 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2648 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2104 2980 B3RAP Leecher.exe 29 PID 2980 wrote to memory of 2104 2980 B3RAP Leecher.exe 29 PID 2980 wrote to memory of 2104 2980 B3RAP Leecher.exe 29 PID 2980 wrote to memory of 2104 2980 B3RAP Leecher.exe 29 PID 2980 wrote to memory of 2996 2980 B3RAP Leecher.exe 30 PID 2980 wrote to memory of 2996 2980 B3RAP Leecher.exe 30 PID 2980 wrote to memory of 2996 2980 B3RAP Leecher.exe 30 PID 2980 wrote to memory of 2996 2980 B3RAP Leecher.exe 30 PID 2996 wrote to memory of 2800 2996 Synaptics.exe 31 PID 2996 wrote to memory of 2800 2996 Synaptics.exe 31 PID 2996 wrote to memory of 2800 2996 Synaptics.exe 31 PID 2996 wrote to memory of 2800 2996 Synaptics.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\B3RAP Leecher.exe"C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\B3RAP Leecher.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\._cache_B3RAP Leecher.exe"C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\._cache_B3RAP Leecher.exe"2⤵
- Executes dropped EXE
PID:2104
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
PID:2800
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2648
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.6MB
MD5daf410cc495219fe8ac9a02712ad3684
SHA1e8105b282d9c6f5ec146a138fa899675441419b8
SHA25651e36fe50f5cc439b8a275571b303fab85d4beb430abefb578a6ca5226c17601
SHA5121ea3f87e39cbbbf125602294fb9fd4b713bfb5b16ade2f503a4be84f6d8c123830edb626b02e6a7d1a344dd46134cb240c6c70fd7a5ab129e3d1b507a8ba8773
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
21KB
MD5b9b0e13adf779fa987a39e3b243cdf1c
SHA1eb7f3df65554fc7485f583e12fb9146cbfc6bd13
SHA256d9dae7cda3841184102beb0078bbe6701de42f56ef6abb1dfa4d43f00ba0b375
SHA51272ff6e2f4d8e931f2724fddda4443a048bf2c78718237e47d6cf3e89d213d0cdf4917665c054b16321d95e7e93f4bea4d3eb786a98498d1d5beb5caa676b00ea
-
Filesize
23KB
MD54a1fc19f34120a7d2ec6e28a42fdb440
SHA19a77c936fea570245512c3b0d5755877860224f3
SHA25640c8152c6aa366a0258d87941a373adf9b5f5b47e6079fbec259d6430d558194
SHA51220cc685a723a519a339f6fd7775fb6794bcd229b9c03a642c117ba183d838950358e714eca0cddc7a94ded2dda421b0e8c2c63b83084daf455753c180e14f20b
-
Filesize
25KB
MD554151dd763cf15d0a0c66890f4088bea
SHA17e3fae4401060a52e6d3c57f056adeb1ecde9040
SHA25608170abbd25ecdada3f9d4f51247a9194871746f4a2cb29a91e6104d9001c7d7
SHA512c9388031f6c94fefe09a14eb2ac16e24fdca62a2277b2867f6f3c55bb74ae6739c964177463398b9dde731fed513680035bb67b22d921568f7bb559699f409cf
-
Filesize
27KB
MD5f0225837a4cbb9109c550d7c87bfff83
SHA1ff5700715a22676088ae3a3e354186c327df7573
SHA2561a945caae2f06337c5cf93e823eb8b177d2aa68deac2c7f2eba9f247eca22c71
SHA512a8c133d5b0cc2ae45bd33676fcb04339b74b074b49fea38dc326919f9fb5e42939832d191676bfe5c5529f3948e19836a05a3dc7441e7d31957f08414ca86b26
-
Filesize
165B
MD5ff09371174f7c701e75f357a187c06e8
SHA157f9a638fd652922d7eb23236c80055a91724503
SHA256e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8
SHA512e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882
-
Filesize
6.9MB
MD53fc65e1223ff9644d654895c800f7731
SHA1d59740ec285022203c5b4051a79b380cdb91f593
SHA256faa86186f89ef29b9507a623a96d066011b8963b0ae6830dd421d1b8c689d90d
SHA51283e9f5a52c85650d1f6e65f83d73b23ec495e2eaaf66013541c3a7e14b6b762d473e7e5fa87c16071610443e42c9718c0800afc0af2a75f9cef020896f99d6cb