Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

23/09/2024, 07:57 UTC

240923-jtrhcayhqh 10

22/09/2024, 22:11 UTC

240922-13xjdsyajh 10

General

  • Target

    58fe672cdb9c2f380f4ab2157a57cfa9.exe

  • Size

    6.5MB

  • Sample

    240923-jtrhcayhqh

  • MD5

    58fe672cdb9c2f380f4ab2157a57cfa9

  • SHA1

    de2869332551a4f97a1ae65000adf1edf91f0121

  • SHA256

    cf7d328ce0b9c53b4613030296421f1cc710aa391bca418b3e3566db1128cbe5

  • SHA512

    60898c5480ff869d6402901a265dd1028c170201b051db7bf485eef6a8eef2683be909ee1092c29056fd6fcac05f02f2fd6997b51a94c876fd332a7ffa8fa7cd

  • SSDEEP

    196608:JXN6Jm1BFYcVWj7gKLWCPP/31b8XN6Jm1I:Nh1cl7gKRP39Yh1

Malware Config

Extracted

Family

revengerat

Botnet

Marzo26

C2

marzorevenger.duckdns.org:4230

Mutex

RV_MUTEX-PiGGjjtnxDpn

Extracted

Family

cybergate

Version

v1.05.1

Botnet

cyber

C2

sonytester.no-ip.biz:99

Mutex

SA237HSP65QY45

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Winbooterr

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Wait For Server Comming Up Again.

  • message_box_title

    FAIL 759.

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

thomas-drops.gl.at.ply.gg:45773

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Targets

    • Target

      58fe672cdb9c2f380f4ab2157a57cfa9.exe

    • Size

      6.5MB

    • MD5

      58fe672cdb9c2f380f4ab2157a57cfa9

    • SHA1

      de2869332551a4f97a1ae65000adf1edf91f0121

    • SHA256

      cf7d328ce0b9c53b4613030296421f1cc710aa391bca418b3e3566db1128cbe5

    • SHA512

      60898c5480ff869d6402901a265dd1028c170201b051db7bf485eef6a8eef2683be909ee1092c29056fd6fcac05f02f2fd6997b51a94c876fd332a7ffa8fa7cd

    • SSDEEP

      196608:JXN6Jm1BFYcVWj7gKLWCPP/31b8XN6Jm1I:Nh1cl7gKRP39Yh1

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

    • UAC bypass

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.