Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

58fe672cdb...a9.exe

windows7-x64

10

58fe672cdb...a9.exe

windows10-2004-x64

10

Resubmissions

23/09/2024, 07:57 UTC

240923-jtrhcayhqh 10

22/09/2024, 22:11 UTC

240922-13xjdsyajh 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    58fe672cdb9c2f380f4ab2157a57cfa9.exe

  • Size

    6.5MB

  • Sample

    240923-jtrhcayhqh

  • MD5

    58fe672cdb9c2f380f4ab2157a57cfa9

  • SHA1

    de2869332551a4f97a1ae65000adf1edf91f0121

  • SHA256

    cf7d328ce0b9c53b4613030296421f1cc710aa391bca418b3e3566db1128cbe5

  • SHA512

    60898c5480ff869d6402901a265dd1028c170201b051db7bf485eef6a8eef2683be909ee1092c29056fd6fcac05f02f2fd6997b51a94c876fd332a7ffa8fa7cd

  • SSDEEP

    196608:JXN6Jm1BFYcVWj7gKLWCPP/31b8XN6Jm1I:Nh1cl7gKRP39Yh1

Score
10/10
cybergatedcratnjratrevengeratcyberhackedmarzo26credential_accessdefense_evasiondiscoveryevasionexecutioninfostealerpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

revengerat

Botnet

Marzo26

C2

marzorevenger.duckdns.org:4230

Mutex

RV_MUTEX-PiGGjjtnxDpn

Extracted

Family

cybergate

Version

v1.05.1

Botnet

cyber

C2

sonytester.no-ip.biz:99

Mutex

SA237HSP65QY45

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Winbooterr

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Wait For Server Comming Up Again.

  • message_box_title

    FAIL 759.

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

thomas-drops.gl.at.ply.gg:45773

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Targets

    • Target

      58fe672cdb9c2f380f4ab2157a57cfa9.exe

    • Size

      6.5MB

    • MD5

      58fe672cdb9c2f380f4ab2157a57cfa9

    • SHA1

      de2869332551a4f97a1ae65000adf1edf91f0121

    • SHA256

      cf7d328ce0b9c53b4613030296421f1cc710aa391bca418b3e3566db1128cbe5

    • SHA512

      60898c5480ff869d6402901a265dd1028c170201b051db7bf485eef6a8eef2683be909ee1092c29056fd6fcac05f02f2fd6997b51a94c876fd332a7ffa8fa7cd

    • SSDEEP

      196608:JXN6Jm1BFYcVWj7gKLWCPP/31b8XN6Jm1I:Nh1cl7gKRP39Yh1

    Score
    10/10
    cybergatedcratnjratrevengeratcyberhackedmarzo26credential_accessdefense_evasiondiscoveryevasionexecutioninfostealerpersistenceratspywarestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • UAC bypass

      evasiontrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

4
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

4
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

7
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.