Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

31/12/2024, 21:35

241231-1fmqnszqft 10

31/12/2024, 21:27

241231-1axzfssnek 10

16/12/2024, 05:27

241216-f5kx6awmh1 10

14/12/2024, 20:23

241214-y6jqlasrhy 10

14/12/2024, 20:22

241214-y51bysvmbk 10

14/12/2024, 20:13

241214-yzc98svkfr 10

14/12/2024, 13:14

241214-qgw1masrcy 10

14/12/2024, 13:12

241214-qfk7qsvlaq 3

12/12/2024, 18:19

241212-wymq6ssnat 10

General

  • Target

    241127-xqsswsslej_pw_infected.zip

  • Size

    12KB

  • Sample

    241212-www7tssmet

  • MD5

    79fd058f7d06cc022de1786507eb26e3

  • SHA1

    86590ec8ed73fd2951587561dff5387e9e0e18e6

  • SHA256

    cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d

  • SHA512

    8316ac3782c05a3ebea4ca0868e33512e5ef29b251498f3af5ab261cd2010dec6b0eca8a57adcadb0d70653be2e22c0c2c137c7a38ec7b3d5ebbdd02e09c0227

  • SSDEEP

    384:sBfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWT:wfACW6Dr8HWTHWT

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMxNTQxMDg0NDg3NTQ4OTI4MA.Gx5ptK.HY1OYsjGMP1MsOoyD2E7T9pCvkfHTdOPozmb_c

  • server_id

    1315411300192616569

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

80.76.49.229:7000

127.0.0.1:8080

101.99.92.189:8080

Mutex

WTs8NdiuS2GN0N0O

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain
aes.plain

Extracted

Family

redline

Botnet

newbundle2

C2

185.215.113.67:15206

Extracted

Family

snakekeylogger

Credentials

Extracted

Family

lumma

C2

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://infect-crackle.cyou/api

https://servicedny.site/api

https://authorisev.site/api

https://faulteyotk.site/api

https://dilemmadu.site/api

https://contemteny.site/api

https://goalyfeastz.site/api

https://opposezmny.site/api

https://seallysl.site/api

https://ponintnykqwm.shop/api

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.43.241:4782

Mutex

0517af80-95f0-4a6d-a904-5b7ee8faa157

Attributes
  • encryption_key

    6095BF6D5D58D02597F98370DFD1CCEB782F1EDD

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svhost

  • subdirectory

    SubDir

Extracted

Family

lumma

C2

https://infect-crackle.cyou/api

https://covery-mover.biz/api

https://tacitglibbr.biz/api

https://immureprech.biz/api

https://deafeninggeh.biz/api

https://wrathful-jammy.cyou/api

https://awake-weaves.cyou/api

https://sordid-snaked.cyou/api

https://drive-connect.cyou/api

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o/sendMessage?chat_id=7427009775

https://api.telegram.org/bot962023231:AAG4by19NbHDMl2hPuMLesCOvrR264-4hSg/sendMessag

https://api.telegram.org/bot8081835502:AAFtGgtMdAzFeWYBpQcGx83fjDR_25zfjK0/sendDocument?chat_id=7538374929&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20181.215.176.83%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan

https://api.telegram.org/bot7587476277:AAEN7p2yOtrq884E9izAnIDu8WeE8vTqRjY/sendMessag

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

C2

82.117.243.110:5173

Mutex

yfsS9ida0wX8mgpdJC

Attributes
  • encryption_key

    KDNBgA8jiBeGX1rj1dDt

  • install_name

    csrss.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    NET framework

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

Aquarius

C2

192.168.8.103:4782

192.168.8.105:4782

192.168.8.114:4782

Mutex

a198a147-9efc-419d-9539-bac2108dc109

Attributes
  • encryption_key

    4CF458F992C472DE78F317085B34A8A1747FC32D

  • install_name

    WindowsDataUpdater.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    WindowsDataUpdater

  • subdirectory

    WinBioData

Extracted

Family

quasar

Version

1.4.1

Botnet

su-pc

C2

192.168.100.2:4444

Mutex

47a88def-94f4-406d-86f5-8b0b767128df

Attributes
  • encryption_key

    6B74F0C858B7E90573D4E97997F2A082B9781250

  • install_name

    x.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    x

  • subdirectory

    SubDir

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1296494108667416678/ZASeLgYlw4OZSUv8h9jKQd4eY6ktpyF3T4vMXTNf0Ppbac5asKxIs_xZz8YEc__J4qsO

Extracted

Family

xworm

C2

127.0.0.1:58963

login-donor.gl.at.ply.gg:58963

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    MicrosoftProfile.exe

  • pastebin_url

    https://pastebin.com/raw/yDTTG7qZ

Extracted

Family

xworm

Version

3.1

C2

camp.zapto.org:7771

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Extracted

Family

stealc

Botnet

Voov1

C2

http://154.216.17.90

Attributes
  • url_path

    /a48146f6763ef3af.php

Extracted

Family

stealc

Botnet

Voov3

C2

http://154.216.17.90

Attributes
  • url_path

    /a48146f6763ef3af.php

Extracted

Family

stealc

Botnet

QQTalk2

C2

http://154.216.17.90

Attributes
  • url_path

    /a48146f6763ef3af.php

Targets

    • Target

      241127-xqsswsslej_pw_infected.zip

    • Size

      12KB

    • MD5

      79fd058f7d06cc022de1786507eb26e3

    • SHA1

      86590ec8ed73fd2951587561dff5387e9e0e18e6

    • SHA256

      cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d

    • SHA512

      8316ac3782c05a3ebea4ca0868e33512e5ef29b251498f3af5ab261cd2010dec6b0eca8a57adcadb0d70653be2e22c0c2c137c7a38ec7b3d5ebbdd02e09c0227

    • SSDEEP

      384:sBfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWT:wfACW6Dr8HWTHWT

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Detect Xworm Payload

    • Discord RAT

      A RAT written in C# using Discord as a C2.

    • Discordrat family

    • Gurcu family

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Modifies WinLogon for persistence

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Nanocore family

    • Phorphiex family

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Snakekeylogger family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • UAC bypass

    • Xmrig family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • DCRat payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • XMRig Miner payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      241127-xqsswsslej_pw_infected/Downloaders.zip

    • Size

      12KB

    • MD5

      94fe78dc42e3403d06477f995770733c

    • SHA1

      ea6ba4a14bab2a976d62ea7ddd4940ec90560586

    • SHA256

      16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

    • SHA512

      add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff

    • SSDEEP

      384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

    Score
    1/10
    • Target

      4363463463464363463463463.zip

    • Size

      4KB

    • MD5

      202786d1d9b71c375e6f940e6dd4828a

    • SHA1

      7cad95faa33e92aceee3bcc809cd687bda650d74

    • SHA256

      45930e1ff487557dd242214c1e7d07294dbedfa7bc2cf712fae46d8d6b61de76

    • SHA512

      de81012a38c1933a82cb39f1ac5261e7af8df80c8478ed540111fe84a6f150f0595889b0e087889894187559f61e1142d7e4971d05bceb737ed06f13726e7eae

    • SSDEEP

      96:XBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEw:XBfwncSf8Cv3w9DZjKXjmBIKEvLs97D3

    Score
    1/10
    • Target

      4363463463464363463463463.exe

    • Size

      10KB

    • MD5

      2a94f3960c58c6e70826495f76d00b85

    • SHA1

      e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

    • SHA256

      2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

    • SHA512

      fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

    • SSDEEP

      192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Azorult family

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      New Text Document mod.exse.zip

    • Size

      7KB

    • MD5

      a7b1b22096cf2b8b9a0156216871768a

    • SHA1

      48acafe87df586a0434459b068d9323d20f904cb

    • SHA256

      82fbb67bf03714661b75a49245c8fe42141e7b68dda3f97f765eb1f2e00a89a9

    • SHA512

      35b3c89b18135e3aca482b376f5013557db636a332a18c4b43d34d3983e5d070a926c95e40966fafea1d54569b9e3c4ab483eaca81b015724d42db24b5f3805f

    • SSDEEP

      192:R5ghioVh+82eei8mXvdTghioVh+82eei8mXvK1B:jHWTHWW

    Score
    1/10
    • Target

      New Text Document mod.exe

    • Size

      8KB

    • MD5

      69994ff2f00eeca9335ccd502198e05b

    • SHA1

      b13a15a5bea65b711b835ce8eccd2a699a99cead

    • SHA256

      2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

    • SHA512

      ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

    • SSDEEP

      96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

    • 44Caliber

      An open source infostealer written in C#.

    • 44Caliber family

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Umbral payload

    • Detect Xworm Payload

    • Discord RAT

      A RAT written in C# using Discord as a C2.

    • Discordrat family

    • Gurcu family

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Stealc

      Stealc is an infostealer written in C++.

    • Stealc family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • UAC bypass

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Umbral family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Adds policy Run key to start application

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      New Text Document mod.exse

    • Size

      8KB

    • MD5

      69994ff2f00eeca9335ccd502198e05b

    • SHA1

      b13a15a5bea65b711b835ce8eccd2a699a99cead

    • SHA256

      2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

    • SHA512

      ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

    • SSDEEP

      96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

    • 44Caliber

      An open source infostealer written in C#.

    • 44Caliber family

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Umbral payload

    • Detect Xworm Payload

    • Discord RAT

      A RAT written in C# using Discord as a C2.

    • Discordrat family

    • Gurcu family

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Stealc

      Stealc is an infostealer written in C++.

    • Stealc family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • UAC bypass

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Umbral family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Adds policy Run key to start application

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

dcratdiscordratgurculummananocorephorphiexquasarredlinesnakekeyloggerxmrigxwormnewbundle2office04collectiondefense_evasiondiscoveryevasionexecutioninfostealerkeyloggerloaderminerpersistenceprivilege_escalationratrootkitspywarestealertrojanupxworm
Score
10/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

azorultquasaraquariusofficesu-pccollectioncredential_accessdefense_evasiondiscoveryexecutioninfostealerpersistenceprivilege_escalationspywarestealertrojanupx
Score
10/10

behavioral5

Score
1/10

behavioral6

44caliberdiscordratgurculummaquasarstealcumbralxwormqqtalk2voov1voov3credential_accessdefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationpyinstallerratrootkitspywarestealertrojanupx
Score
10/10

behavioral7

44caliberdiscordratgurculummastealcumbralxwormvoov3credential_accessdefense_evasiondiscoveryevasionexecutionpersistencepyinstallerratrootkitspywarestealertrojanupx
Score
10/10