Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

1dbf99bb87...18.exe

windows7-x64

10

1dbf99bb87...18.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

jailer.dll

windows7-x64

3

jailer.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1dbf99bb878f7cad04ba363045556071_JaffaCakes118

  • Size

    146KB

  • Sample

    241007-q1fgzssamf

  • MD5

    1dbf99bb878f7cad04ba363045556071

  • SHA1

    0508e0920f58b8f625c8320c37a55865cc5bbd83

  • SHA256

    57f192912a082c6e1050024c27208e34e3f0b1ab9260ccceb27d6801b86a4956

  • SHA512

    0291b044599fa1541ffdeb373f1599eec891a3025480f49a20df91b4d4f1100d6cf1792badbeac41aeea8c917de1f56d6879e0789928e14215404dc447542252

  • SSDEEP

    3072:WAsj8MBX8s0oXJi45DgoHh8Z6W9MNiAjlUByUyDKQlF1RkD37977:WAsBZM43Hh8QWNGKQlF1RkH977

Score
10/10
netwirebotnetdiscoverypersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

6138.thruhere.net:6138

Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    03

  • install_path

    %AppData%\Skype\Skype.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    jwVDeYBU

  • offline_keylogger

    true

  • password

    zaq12wsxZ

  • registry_autorun

    true

  • startup_name

    Skypeupdates

  • use_mutex

    true

Targets

    • Target

      1dbf99bb878f7cad04ba363045556071_JaffaCakes118

    • Size

      146KB

    • MD5

      1dbf99bb878f7cad04ba363045556071

    • SHA1

      0508e0920f58b8f625c8320c37a55865cc5bbd83

    • SHA256

      57f192912a082c6e1050024c27208e34e3f0b1ab9260ccceb27d6801b86a4956

    • SHA512

      0291b044599fa1541ffdeb373f1599eec891a3025480f49a20df91b4d4f1100d6cf1792badbeac41aeea8c917de1f56d6879e0789928e14215404dc447542252

    • SSDEEP

      3072:WAsj8MBX8s0oXJi45DgoHh8Z6W9MNiAjlUByUyDKQlF1RkD37977:WAsBZM43Hh8QWNGKQlF1RkH977

    Score
    10/10
    netwirebotnetdiscoverypersistenceratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      883eff06ac96966270731e4e22817e11

    • SHA1

      523c87c98236cbc04430e87ec19b977595092ac8

    • SHA256

      44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

    • SHA512

      60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

    • SSDEEP

      96:UPDYcJ+nx4vVp76JX7zBlkCg21Fxz4THxtrqw1at0JgwLEjo+OB3yUVCdl/wNj+l:UPtkuWJX7zB3kGwfy0nyUVsxCjOMb1u

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      jailer.dll

    • Size

      68KB

    • MD5

      b27418eaf58dd7af2a04e79396069737

    • SHA1

      b2d50a8699a34ec2af3a08be4b9a00fd8c7a5985

    • SHA256

      a1b7d3a3c2038d13e8b1b338c1027352133c8b77e0337c50d5852d4a4b310210

    • SHA512

      0fa8757f6c67690f23574208db548705da23f0c7a8b5aa038876495d98748a046ca84486ae5900b8052ef2ca735ab4b9f6529c6e05a390cec8dd2c897f1bba6d

    • SSDEEP

      768:9A5HHymr9ogwwOFpsmdh6PXhBUr92ff+JupEo+FKdmcNiHdVtLsU:9A5yQo5wsbdhQxmvho+USbtLsU

    Score
    3/10
    discovery
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks