Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Spoofer.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    22s
  • max time network
    31s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19/11/2024, 19:39 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Spoofer.exe

  • Size

    42KB

  • MD5

    a1baabfc69147abcad27edeb039b2c48

  • SHA1

    4b7ecee83d1f878e80c42d48b8e3526199017621

  • SHA256

    eb0c301974a821dedb5970184a934715cbe92abffb8a7532a990bf12ae824e4f

  • SHA512

    1a424b500dd64af5cb4527fdc6136be3687db6d88222859744e2495edd6670efdb826761515bd2fd67263eee2c8033026ed888ce8e9f7097e515c7b35ec99a3d

  • SSDEEP

    768:eaRlnERMjPsRNGAuZNLJpTjEKZKfgm3EhFe:eRMTsjGnLJpToF7Ene

Score
10/10
mercurialgrabberevasionspywarestealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discordapp.com/api/webhooks/1308437525995458580/tUCFfkyMze1B-I4wpnAKAPeE5f0RIWtyWwzWg3ZmQtPlguWlMw52Bcp3BrDC8rz1AXzP

Signatures

Processes

  • C:\Users\Admin\AppData\Local\Temp\Spoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:1936

Network

  • flag-us
    DNS
    ip4.seeip.org
    Spoofer.exe
    Remote address:
    8.8.8.8:53
    Request
    ip4.seeip.org
    IN A
    Response
    ip4.seeip.org
    IN A
    23.128.64.141
  • flag-us
    DNS
    ip-api.com
    Spoofer.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    DNS
    discordapp.com
    Spoofer.exe
    Remote address:
    8.8.8.8:53
    Request
    discordapp.com
    IN A
    Response
    discordapp.com
    IN A
    162.159.129.233
    discordapp.com
    IN A
    162.159.130.233
    discordapp.com
    IN A
    162.159.135.233
    discordapp.com
    IN A
    162.159.134.233
    discordapp.com
    IN A
    162.159.133.233
  • flag-us
    DNS
    1.112.95.208.in-addr.arpa
    Spoofer.exe
    Remote address:
    8.8.8.8:53
    Request
    1.112.95.208.in-addr.arpa
    IN PTR
    Response
    1.112.95.208.in-addr.arpa
    IN PTR
    ip-apicom
  • flag-us
    DNS
    233.129.159.162.in-addr.arpa
    Spoofer.exe
    Remote address:
    8.8.8.8:53
    Request
    233.129.159.162.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    http://ip-api.com//json/
    Spoofer.exe
    Remote address:
    208.95.112.1:80
    Request
    GET //json/ HTTP/1.1
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 19 Nov 2024 19:40:46 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 291
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • 23.128.64.141:443
    ip4.seeip.org
    Spoofer.exe
    260 B
     5
  • 208.95.112.1:80
    http://ip-api.com//json/
    http
    Spoofer.exe
    296 B
     600 B
     5
    3

    HTTP Request

    GET http://ip-api.com//json/

    HTTP Response

    200
  • 162.159.129.233:443
    discordapp.com
    tls
    Spoofer.exe
    1.4kB
     5.6kB
     8
    10
  • 162.159.129.233:443
    discordapp.com
    tls
    Spoofer.exe
    1.5kB
     2.9kB
     7
    8
  • 8.8.8.8:53
    ip4.seeip.org
    dns
    Spoofer.exe
    320 B
     518 B
     5
    5

    DNS Request

    ip4.seeip.org

    DNS Response

    23.128.64.141

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

    DNS Request

    discordapp.com

    DNS Response

    162.159.129.233
    162.159.130.233
    162.159.135.233
    162.159.134.233
    162.159.133.233

    DNS Request

    1.112.95.208.in-addr.arpa

    DNS Request

    233.129.159.162.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1936-0-0x00007FF844323000-0x00007FF844325000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1936-1-0x0000000000E80000-0x0000000000E90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1936-2-0x00007FF844320000-0x00007FF844DE2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1936-3-0x00007FF844323000-0x00007FF844325000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1936-4-0x00007FF844320000-0x00007FF844DE2000-memory.dmp

    Filesize

    10.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.