Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

sqx.dll

windows7-x64

10

sqx.dll

windows10-2004-x64

10

Resubmissions

30/11/2024, 00:13 UTC

241130-ahvwystmfv 10

29/11/2024, 21:13 UTC

241129-z2qtsa1lhn 10

27/11/2024, 19:30 UTC

241127-x7tfratjar 10

27/11/2024, 19:27 UTC

241127-x6eafawrbz 10

26/11/2024, 23:43 UTC

241126-3qkp6sslfn 10

Analysis

  • max time kernel
    34s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2024, 19:30 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sqx.dll

  • Size

    1.3MB

  • MD5

    dd862590d9e4ea1791df147912ae4c8f

  • SHA1

    852d7a9ea4db5ff4cd51a92447a8d5701cfb322b

  • SHA256

    14ffcbbfb305287ea15264df3363567f36a26917ae2018af0f40e2009b8a7184

  • SHA512

    3e9222d8bd91d3e53f5e378318a78a7c5aa12011272031f7c0d8c36c5b255db1d0a168cc02e1159eb021dd18206352dd6dcb857fefc2222937c467350dc6d568

  • SSDEEP

    24576:pQrDp6J8JM3IgVvF7EtPCo1Frk5fRJhqYEjTvpAbHT0HRZonw4by:pQpI8JM3IwEtPCo1F45fvhq/jTyb4HR+

Score
10/10
bruteratellatrodectusbackdoorloader

Malware Config

Extracted

Family

latrodectus

C2

https://reateberam.com/test/

https://dogirafer.com/test/

Signatures

  • Brute Ratel C4

    A customized command and control framework for red teaming and adversary simulation.

    backdoorbruteratel
  • Bruteratel family
    bruteratel
  • Detect BruteRatel badger 1 IoCs
  • Detects Latrodectus 4 IoCs

    Detects Latrodectus v1.4.

  • Latrodectus family
    latrodectus
  • Latrodectus loader

    Latrodectus is a loader written in C++.

    loaderlatrodectus
  • Blocklisted process makes network request 4 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqx.dll,#1
        2⤵
        • Blocklisted process makes network request
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2364

    Network

    • flag-us
      DNS
      uayyau.com
      rundll32.exe
      Remote address:
      8.8.8.8:53
      Request
      uayyau.com
      IN A
      Response
      uayyau.com
      IN A
      94.232.40.38
    • flag-nl
      POST
      https://uayyau.com:4438/topaz.php
      rundll32.exe
      Remote address:
      94.232.40.38:4438
      Request
      POST /topaz.php HTTP/1.1
      zazuzi_PwegsaZxSx07IW: zabuzil_Tq4wvLNC9JN1ED
      User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Mobile/15E148 Snapchat/10.77.5.59 (like Safari/604.1)
      Host: uayyau.com:4438
      Content-Length: 540
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Content-Type: text/html
      Date: Wed, 27 Nov 2024 19:30:17 GMT
      Zazuzi_pwegsazxsx07iw: zabuzil_Tq4wvLNC9JN1ED
      Content-Length: 56
    • flag-us
      DNS
      r10.o.lencr.org
      rundll32.exe
      Remote address:
      8.8.8.8:53
      Request
      r10.o.lencr.org
      IN A
      Response
      r10.o.lencr.org
      IN CNAME
      o.lencr.edgesuite.net
      o.lencr.edgesuite.net
      IN CNAME
      a1887.dscq.akamai.net
      a1887.dscq.akamai.net
      IN A
      2.18.190.73
      a1887.dscq.akamai.net
      IN A
      2.18.190.80
    • flag-gb
      GET
      http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgNejCTeq2gShXT9bHjIe67j0A%3D%3D
      rundll32.exe
      Remote address:
      2.18.190.73:80
      Request
      GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgNejCTeq2gShXT9bHjIe67j0A%3D%3D HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: r10.o.lencr.org
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Content-Type: application/ocsp-response
      Content-Length: 504
      ETag: "C3A87D4030614ED7D053263C9D3D80EC3E52DFC15AAFDB37328895B542037DD0"
      Last-Modified: Tue, 26 Nov 2024 23:43:00 UTC
      Cache-Control: public, no-transform, must-revalidate, max-age=21564
      Expires: Thu, 28 Nov 2024 01:29:41 GMT
      Date: Wed, 27 Nov 2024 19:30:17 GMT
      Connection: keep-alive
    • flag-gb
      GET
      http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgT4bXi2qXQ%2BWKdb23PY5psqdw%3D%3D
      rundll32.exe
      Remote address:
      2.18.190.73:80
      Request
      GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgT4bXi2qXQ%2BWKdb23PY5psqdw%3D%3D HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: r10.o.lencr.org
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Content-Type: application/ocsp-response
      Content-Length: 504
      ETag: "6C32E9650A2D6C11922DC3768216B7C7713FDB4DDE23295D52A977FAB516CE3A"
      Last-Modified: Mon, 25 Nov 2024 17:20:00 UTC
      Cache-Control: public, no-transform, must-revalidate, max-age=21510
      Expires: Thu, 28 Nov 2024 01:28:48 GMT
      Date: Wed, 27 Nov 2024 19:30:18 GMT
      Connection: keep-alive
    • flag-us
      DNS
      guaaug.com
      rundll32.exe
      Remote address:
      8.8.8.8:53
      Request
      guaaug.com
      IN A
      Response
      guaaug.com
      IN A
      46.249.49.83
    • flag-nl
      POST
      https://guaaug.com:4438/topaz.php
      rundll32.exe
      Remote address:
      46.249.49.83:4438
      Request
      POST /topaz.php HTTP/1.1
      zazuzi_PwegsaZxSx07IW: zabuzil_Tq4wvLNC9JN1ED
      User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Mobile/15E148 Snapchat/10.77.5.59 (like Safari/604.1)
      Host: guaaug.com:4438
      Content-Length: 158
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Content-Type: text/html
      Date: Wed, 27 Nov 2024 19:30:18 GMT
      Zazuzi_pwegsazxsx07iw: zabuzil_Tq4wvLNC9JN1ED
      Content-Length: 204760
    • flag-us
      DNS
      crl.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      crl.microsoft.com
      IN A
      Response
      crl.microsoft.com
      IN CNAME
      crl.www.ms.akadns.net
      crl.www.ms.akadns.net
      IN CNAME
      a1363.dscg.akamai.net
      a1363.dscg.akamai.net
      IN A
      2.19.252.157
      a1363.dscg.akamai.net
      IN A
      2.19.252.143
    • flag-gb
      GET
      http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
      Remote address:
      2.19.252.157:80
      Request
      GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: crl.microsoft.com
      Response
      HTTP/1.1 200 OK
      Content-Length: 1036
      Content-Type: application/octet-stream
      Content-MD5: 8M9bF5Tsp81z+cAg2quO8g==
      Last-Modified: Thu, 26 Sep 2024 02:21:11 GMT
      ETag: 0x8DCDDD1E3AF2C76
      Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
      x-ms-request-id: d9e5f04e-201e-002d-56c3-0fe499000000
      x-ms-version: 2009-09-19
      x-ms-lease-status: unlocked
      x-ms-blob-type: BlockBlob
      Date: Wed, 27 Nov 2024 19:30:47 GMT
      Connection: keep-alive
    • flag-us
      DNS
      www.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      www.microsoft.com
      IN A
      Response
      www.microsoft.com
      IN CNAME
      www.microsoft.com-c-3.edgekey.net
      www.microsoft.com-c-3.edgekey.net
      IN CNAME
      www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
      www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
      IN CNAME
      e13678.dscb.akamaiedge.net
      e13678.dscb.akamaiedge.net
      IN A
      23.192.22.93
    • flag-us
      GET
      http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
      Remote address:
      23.192.22.93:80
      Request
      GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: www.microsoft.com
      Response
      HTTP/1.1 200 OK
      Content-Length: 1078
      Content-Type: application/octet-stream
      Content-MD5: PjrtHAukbJio72s77Ag5mA==
      Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
      ETag: 0x8DCFA0366D6C4CA
      x-ms-request-id: 46e337eb-b01e-0072-49f3-2b50a5000000
      x-ms-version: 2009-09-19
      x-ms-lease-status: unlocked
      x-ms-blob-type: BlockBlob
      Date: Wed, 27 Nov 2024 19:30:48 GMT
      Connection: keep-alive
      TLS_version: UNKNOWN
      ms-cv: CASMicrosoftCV129596bc.0
      ms-cv-esi: CASMicrosoftCV129596bc.0
      X-RTag: RT
    • 94.232.40.38:4438
      https://uayyau.com:4438/topaz.php
      tls, http
      rundll32.exe
      1.7kB
       3.8kB
       9
      9

      HTTP Request

      POST https://uayyau.com:4438/topaz.php

      HTTP Response

      200
    • 2.18.190.73:80
      http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgT4bXi2qXQ%2BWKdb23PY5psqdw%3D%3D
      http
      rundll32.exe
      802 B
       2.9kB
       7
      6

      HTTP Request

      GET http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgNejCTeq2gShXT9bHjIe67j0A%3D%3D

      HTTP Response

      200

      HTTP Request

      GET http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgT4bXi2qXQ%2BWKdb23PY5psqdw%3D%3D

      HTTP Response

      200
    • 46.249.49.83:4438
      https://guaaug.com:4438/topaz.php
      tls, http
      rundll32.exe
      5.9kB
       215.3kB
       104
      160

      HTTP Request

      POST https://guaaug.com:4438/topaz.php

      HTTP Response

      200
    • 2.19.252.157:80
      http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
      http
      399 B
       1.7kB
       4
      4

      HTTP Request

      GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

      HTTP Response

      200
    • 23.192.22.93:80
      http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
      http
      393 B
       1.7kB
       4
      4

      HTTP Request

      GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

      HTTP Response

      200
    • 8.8.8.8:53
      uayyau.com
      dns
      rundll32.exe
      56 B
       72 B
       1
      1

      DNS Request

      uayyau.com

      DNS Response

      94.232.40.38

    • 8.8.8.8:53
      r10.o.lencr.org
      dns
      rundll32.exe
      61 B
       160 B
       1
      1

      DNS Request

      r10.o.lencr.org

      DNS Response

      2.18.190.73
      2.18.190.80

    • 8.8.8.8:53
      guaaug.com
      dns
      rundll32.exe
      56 B
       72 B
       1
      1

      DNS Request

      guaaug.com

      DNS Response

      46.249.49.83

    • 8.8.8.8:53
      crl.microsoft.com
      dns
      63 B
       162 B
       1
      1

      DNS Request

      crl.microsoft.com

      DNS Response

      2.19.252.157
      2.19.252.143

    • 8.8.8.8:53
      www.microsoft.com
      dns
      63 B
       230 B
       1
      1

      DNS Request

      www.microsoft.com

      DNS Response

      23.192.22.93

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1200-34-0x00000000025B0000-0x00000000025C5000-memory.dmp

      Filesize

      84KB

      Download

    • memory/1200-37-0x00000000025B0000-0x00000000025C5000-memory.dmp

      Filesize

      84KB

      Download

    • memory/1200-36-0x00000000025B0000-0x00000000025C5000-memory.dmp

      Filesize

      84KB

      Download

    • memory/1200-38-0x00000000025B0000-0x00000000025C5000-memory.dmp

      Filesize

      84KB

      Download

    • memory/2364-0-0x00000000001B0000-0x00000000001EE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2364-1-0x0000000001D40000-0x0000000001D8C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2364-28-0x000007FFFFF90000-0x000007FFFFF91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2364-32-0x000007FFFFF40000-0x000007FFFFF41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2364-33-0x000007FFFFF30000-0x000007FFFFF31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2364-31-0x000007FFFFF50000-0x000007FFFFF51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2364-30-0x000007FFFFF60000-0x000007FFFFF61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2364-29-0x000007FFFFF70000-0x000007FFFFF85000-memory.dmp

      Filesize

      84KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.