Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

58fe672cdb...a9.exe

windows7-x64

10

58fe672cdb...a9.exe

windows10-2004-x64

10

Resubmissions

23/09/2024, 07:57

240923-jtrhcayhqh 10

22/09/2024, 22:11

240922-13xjdsyajh 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    58fe672cdb9c2f380f4ab2157a57cfa9.exe

  • Size

    6.5MB

  • Sample

    240923-jtrhcayhqh

  • MD5

    58fe672cdb9c2f380f4ab2157a57cfa9

  • SHA1

    de2869332551a4f97a1ae65000adf1edf91f0121

  • SHA256

    cf7d328ce0b9c53b4613030296421f1cc710aa391bca418b3e3566db1128cbe5

  • SHA512

    60898c5480ff869d6402901a265dd1028c170201b051db7bf485eef6a8eef2683be909ee1092c29056fd6fcac05f02f2fd6997b51a94c876fd332a7ffa8fa7cd

  • SSDEEP

    196608:JXN6Jm1BFYcVWj7gKLWCPP/31b8XN6Jm1I:Nh1cl7gKRP39Yh1

Score
10/10
cybergatedcratnjratrevengeratcyberhackedmarzo26credential_accessdefense_evasiondiscoveryevasionexecutioninfostealerpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

revengerat

Botnet

Marzo26

C2

marzorevenger.duckdns.org:4230

Mutex

RV_MUTEX-PiGGjjtnxDpn

Extracted

Family

cybergate

Version

v1.05.1

Botnet

cyber

C2

sonytester.no-ip.biz:99

Mutex

SA237HSP65QY45

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Winbooterr

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Wait For Server Comming Up Again.

  • message_box_title

    FAIL 759.

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

thomas-drops.gl.at.ply.gg:45773

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Targets

    • Target

      58fe672cdb9c2f380f4ab2157a57cfa9.exe

    • Size

      6.5MB

    • MD5

      58fe672cdb9c2f380f4ab2157a57cfa9

    • SHA1

      de2869332551a4f97a1ae65000adf1edf91f0121

    • SHA256

      cf7d328ce0b9c53b4613030296421f1cc710aa391bca418b3e3566db1128cbe5

    • SHA512

      60898c5480ff869d6402901a265dd1028c170201b051db7bf485eef6a8eef2683be909ee1092c29056fd6fcac05f02f2fd6997b51a94c876fd332a7ffa8fa7cd

    • SSDEEP

      196608:JXN6Jm1BFYcVWj7gKLWCPP/31b8XN6Jm1I:Nh1cl7gKRP39Yh1

    Score
    10/10
    cybergatedcratnjratrevengeratcyberhackedmarzo26credential_accessdefense_evasiondiscoveryevasionexecutioninfostealerpersistenceratspywarestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • UAC bypass

      evasiontrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

4
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

4
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

7
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks