Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3B3RAP Leec...er.exe
windows7-x64
8B3RAP Leec...er.exe
windows10-2004-x64
7B3RAP Leec...et.dll
windows7-x64
1B3RAP Leec...et.dll
windows10-2004-x64
1NETFLIX Ch...ER.exe
windows7-x64
7NETFLIX Ch...ER.exe
windows10-2004-x64
7NETFLIX Ch...ER.exe
windows7-x64
7NETFLIX Ch...ER.exe
windows10-2004-x64
7NETFLIX Ch...er.dll
windows7-x64
1NETFLIX Ch...er.dll
windows10-2004-x64
1NETFLIX Ch...et.dll
windows7-x64
1NETFLIX Ch...et.dll
windows10-2004-x64
1Proxy Chec...ER.exe
windows7-x64
7Proxy Chec...ER.exe
windows10-2004-x64
7Proxy Chec...ER.exe
windows7-x64
8Proxy Chec...ER.exe
windows10-2004-x64
7Proxy Chec...ck.exe
windows7-x64
10Proxy Chec...ck.exe
windows10-2004-x64
10Proxy Chec...er.dll
windows7-x64
1Proxy Chec...er.dll
windows10-2004-x64
1Proxy Chec...et.dll
windows7-x64
1Proxy Chec...et.dll
windows10-2004-x64
1Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 02:27
Static task
static1
Behavioral task
behavioral1
Sample
B3RAP Leecher v0.5/B3RAP Leecher.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
B3RAP Leecher v0.5/B3RAP Leecher.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
B3RAP Leecher v0.5/Leaf.xNet.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
B3RAP Leecher v0.5/Leaf.xNet.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
NETFLIX Checker Account By X-KILLER/._cache_NETFLIX Checker Account By X-KILLER.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
NETFLIX Checker Account By X-KILLER/._cache_NETFLIX Checker Account By X-KILLER.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
NETFLIX Checker Account By X-KILLER/NETFLIX Checker Account By X-KILLER.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
NETFLIX Checker Account By X-KILLER/NETFLIX Checker Account By X-KILLER.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
NETFLIX Checker Account By X-KILLER/SkinSoft.VisualStyler.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
NETFLIX Checker Account By X-KILLER/SkinSoft.VisualStyler.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
NETFLIX Checker Account By X-KILLER/xNet.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
NETFLIX Checker Account By X-KILLER/xNet.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
Proxy Checker v0.2/._cache_Proxy Checker v0.2 By X-SLAYER.exe
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
Proxy Checker v0.2/._cache_Proxy Checker v0.2 By X-SLAYER.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
Proxy Checker v0.2/Proxy Checker v0.2 By X-SLAYER.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Proxy Checker v0.2/Proxy Checker v0.2 By X-SLAYER.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
Proxy Checker v0.2/Proxy Checker v0.2 Crack.exe
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
Proxy Checker v0.2/Proxy Checker v0.2 Crack.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
Proxy Checker v0.2/SkinSoft.VisualStyler.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
Proxy Checker v0.2/SkinSoft.VisualStyler.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
Proxy Checker v0.2/xNet.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
Proxy Checker v0.2/xNet.dll
Resource
win10v2004-20240802-en
General
-
Target
B3RAP Leecher v0.5/B3RAP Leecher.exe
-
Size
7.6MB
-
MD5
daf410cc495219fe8ac9a02712ad3684
-
SHA1
e8105b282d9c6f5ec146a138fa899675441419b8
-
SHA256
51e36fe50f5cc439b8a275571b303fab85d4beb430abefb578a6ca5226c17601
-
SHA512
1ea3f87e39cbbbf125602294fb9fd4b713bfb5b16ade2f503a4be84f6d8c123830edb626b02e6a7d1a344dd46134cb240c6c70fd7a5ab129e3d1b507a8ba8773
-
SSDEEP
196608:CLwIMmXE6d1CPwDv3uFgsLsv13uFnCPwPnhwn59OIl/3igTlBCKgx:CpTXE6d1CPwDv3uF1Lsv13uFnCPwfhw8
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation B3RAP Leecher.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 3 IoCs
pid Process 832 ._cache_B3RAP Leecher.exe 2828 Synaptics.exe 2912 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" B3RAP Leecher.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B3RAP Leecher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x00080000000234d1-5.dat nsis_installer_2 behavioral2/files/0x00070000000234fd-67.dat nsis_installer_2 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ B3RAP Leecher.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2948 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 2948 EXCEL.EXE 2948 EXCEL.EXE 2948 EXCEL.EXE 2948 EXCEL.EXE 2948 EXCEL.EXE 2948 EXCEL.EXE 2948 EXCEL.EXE 2948 EXCEL.EXE 2948 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3920 wrote to memory of 832 3920 B3RAP Leecher.exe 82 PID 3920 wrote to memory of 832 3920 B3RAP Leecher.exe 82 PID 3920 wrote to memory of 2828 3920 B3RAP Leecher.exe 83 PID 3920 wrote to memory of 2828 3920 B3RAP Leecher.exe 83 PID 3920 wrote to memory of 2828 3920 B3RAP Leecher.exe 83 PID 2828 wrote to memory of 2912 2828 Synaptics.exe 84 PID 2828 wrote to memory of 2912 2828 Synaptics.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\B3RAP Leecher.exe"C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\B3RAP Leecher.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\._cache_B3RAP Leecher.exe"C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\._cache_B3RAP Leecher.exe"2⤵
- Executes dropped EXE
PID:832
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
PID:2912
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.6MB
MD5daf410cc495219fe8ac9a02712ad3684
SHA1e8105b282d9c6f5ec146a138fa899675441419b8
SHA25651e36fe50f5cc439b8a275571b303fab85d4beb430abefb578a6ca5226c17601
SHA5121ea3f87e39cbbbf125602294fb9fd4b713bfb5b16ade2f503a4be84f6d8c123830edb626b02e6a7d1a344dd46134cb240c6c70fd7a5ab129e3d1b507a8ba8773
-
Filesize
25KB
MD51bfe871193b1501e2187fd3996250ca7
SHA1fab3c269d0fb7947cd19c0da8b59b6bdb156b71a
SHA256416dd47f399be2ecb50b19d819d1c171d48e1c114bf7e00a5177badbf058397e
SHA512c1ce51b6ddd1e21d0ef86f9ef2f0f66c5587557a21fdeb96f99031d5796db818ce2eb038e97dee65361ae6167a69f6cbaf436977649aa414ce983908c21c2590
-
Filesize
6.9MB
MD53fc65e1223ff9644d654895c800f7731
SHA1d59740ec285022203c5b4051a79b380cdb91f593
SHA256faa86186f89ef29b9507a623a96d066011b8963b0ae6830dd421d1b8c689d90d
SHA51283e9f5a52c85650d1f6e65f83d73b23ec495e2eaaf66013541c3a7e14b6b762d473e7e5fa87c16071610443e42c9718c0800afc0af2a75f9cef020896f99d6cb
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04