Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3241127-xqs...ed.zip
windows10-2004-x64
10241127-xqs...rs.zip
windows10-2004-x64
14363463463...63.zip
windows10-2004-x64
14363463463...63.exe
windows10-2004-x64
10New Text D...se.zip
windows10-2004-x64
1New Text D...od.exe
windows10-2004-x64
10New Text D...od.exe
windows10-2004-x64
10Resubmissions
31/12/2024, 21:35
241231-1fmqnszqft 1031/12/2024, 21:27
241231-1axzfssnek 1016/12/2024, 05:27
241216-f5kx6awmh1 1014/12/2024, 20:23
241214-y6jqlasrhy 1014/12/2024, 20:22
241214-y51bysvmbk 1014/12/2024, 20:13
241214-yzc98svkfr 1014/12/2024, 13:14
241214-qgw1masrcy 1014/12/2024, 13:12
241214-qfk7qsvlaq 312/12/2024, 18:19
241212-wymq6ssnat 10General
-
Target
241127-xqsswsslej_pw_infected.zip
-
Size
12KB
-
Sample
241212-www7tssmet
-
MD5
79fd058f7d06cc022de1786507eb26e3
-
SHA1
86590ec8ed73fd2951587561dff5387e9e0e18e6
-
SHA256
cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d
-
SHA512
8316ac3782c05a3ebea4ca0868e33512e5ef29b251498f3af5ab261cd2010dec6b0eca8a57adcadb0d70653be2e22c0c2c137c7a38ec7b3d5ebbdd02e09c0227
-
SSDEEP
384:sBfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWT:wfACW6Dr8HWTHWT
Static task
static1
Behavioral task
behavioral1
Sample
241127-xqsswsslej_pw_infected.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
241127-xqsswsslej_pw_infected/Downloaders.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
4363463463464363463463463.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
4363463463464363463463463.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
New Text Document mod.exse.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
New Text Document mod.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
New Text Document mod.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
discordrat
-
discord_token
MTMxNTQxMDg0NDg3NTQ4OTI4MA.Gx5ptK.HY1OYsjGMP1MsOoyD2E7T9pCvkfHTdOPozmb_c
-
server_id
1315411300192616569
Extracted
xworm
5.0
127.0.0.1:7000
80.76.49.229:7000
127.0.0.1:8080
101.99.92.189:8080
WTs8NdiuS2GN0N0O
-
Install_directory
%AppData%
-
install_file
XClient.exe
Extracted
redline
newbundle2
185.215.113.67:15206
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.daipro.com.mx - Port:
587 - Username:
[email protected] - Password:
DAIpro123** - Email To:
[email protected]
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://infect-crackle.cyou/api
https://servicedny.site/api
https://authorisev.site/api
https://faulteyotk.site/api
https://dilemmadu.site/api
https://contemteny.site/api
https://goalyfeastz.site/api
https://opposezmny.site/api
https://seallysl.site/api
https://ponintnykqwm.shop/api
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://tacitglibbr.biz/api
Extracted
quasar
1.4.1
Office04
192.168.43.241:4782
0517af80-95f0-4a6d-a904-5b7ee8faa157
-
encryption_key
6095BF6D5D58D02597F98370DFD1CCEB782F1EDD
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svhost
-
subdirectory
SubDir
Extracted
lumma
https://infect-crackle.cyou/api
https://covery-mover.biz/api
https://tacitglibbr.biz/api
https://immureprech.biz/api
https://deafeninggeh.biz/api
https://wrathful-jammy.cyou/api
https://awake-weaves.cyou/api
https://sordid-snaked.cyou/api
https://drive-connect.cyou/api
Extracted
gurcu
https://api.telegram.org/bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o/sendMessage?chat_id=7427009775
https://api.telegram.org/bot962023231:AAG4by19NbHDMl2hPuMLesCOvrR264-4hSg/sendMessag
https://api.telegram.org/bot8081835502:AAFtGgtMdAzFeWYBpQcGx83fjDR_25zfjK0/sendDocument?chat_id=7538374929&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20181.215.176.83%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan
https://api.telegram.org/bot7587476277:AAEN7p2yOtrq884E9izAnIDu8WeE8vTqRjY/sendMessag
Extracted
quasar
1.4.0.0
Office
82.117.243.110:5173
yfsS9ida0wX8mgpdJC
-
encryption_key
KDNBgA8jiBeGX1rj1dDt
-
install_name
csrss.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
NET framework
-
subdirectory
SubDir
Extracted
quasar
1.4.1
Aquarius
192.168.8.103:4782
192.168.8.105:4782
192.168.8.114:4782
a198a147-9efc-419d-9539-bac2108dc109
-
encryption_key
4CF458F992C472DE78F317085B34A8A1747FC32D
-
install_name
WindowsDataUpdater.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WindowsDataUpdater
-
subdirectory
WinBioData
Extracted
quasar
1.4.1
su-pc
192.168.100.2:4444
47a88def-94f4-406d-86f5-8b0b767128df
-
encryption_key
6B74F0C858B7E90573D4E97997F2A082B9781250
-
install_name
x.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
x
-
subdirectory
SubDir
Extracted
44caliber
https://discord.com/api/webhooks/1296494108667416678/ZASeLgYlw4OZSUv8h9jKQd4eY6ktpyF3T4vMXTNf0Ppbac5asKxIs_xZz8YEc__J4qsO
Extracted
xworm
127.0.0.1:58963
login-donor.gl.at.ply.gg:58963
-
Install_directory
%Userprofile%
-
install_file
MicrosoftProfile.exe
-
pastebin_url
https://pastebin.com/raw/yDTTG7qZ
Extracted
xworm
3.1
camp.zapto.org:7771
-
Install_directory
%AppData%
-
install_file
USB.exe
Extracted
stealc
Voov1
http://154.216.17.90
-
url_path
/a48146f6763ef3af.php
Extracted
stealc
Voov3
http://154.216.17.90
-
url_path
/a48146f6763ef3af.php
Extracted
stealc
QQTalk2
http://154.216.17.90
-
url_path
/a48146f6763ef3af.php
Targets
-
-
Target
241127-xqsswsslej_pw_infected.zip
-
Size
12KB
-
MD5
79fd058f7d06cc022de1786507eb26e3
-
SHA1
86590ec8ed73fd2951587561dff5387e9e0e18e6
-
SHA256
cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d
-
SHA512
8316ac3782c05a3ebea4ca0868e33512e5ef29b251498f3af5ab261cd2010dec6b0eca8a57adcadb0d70653be2e22c0c2c137c7a38ec7b3d5ebbdd02e09c0227
-
SSDEEP
384:sBfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWT:wfACW6Dr8HWTHWT
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Detect Xworm Payload
-
Discordrat family
-
Gurcu family
-
Lumma family
-
Modifies WinLogon for persistence
-
Nanocore family
-
Phorphiex family
-
Phorphiex payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Quasar family
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
Snake Keylogger payload
-
Snakekeylogger family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xmrig family
-
Xworm family
-
DCRat payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
241127-xqsswsslej_pw_infected/Downloaders.zip
-
Size
12KB
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Score1/10 -
-
-
Target
4363463463464363463463463.zip
-
Size
4KB
-
MD5
202786d1d9b71c375e6f940e6dd4828a
-
SHA1
7cad95faa33e92aceee3bcc809cd687bda650d74
-
SHA256
45930e1ff487557dd242214c1e7d07294dbedfa7bc2cf712fae46d8d6b61de76
-
SHA512
de81012a38c1933a82cb39f1ac5261e7af8df80c8478ed540111fe84a6f150f0595889b0e087889894187559f61e1142d7e4971d05bceb737ed06f13726e7eae
-
SSDEEP
96:XBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEw:XBfwncSf8Cv3w9DZjKXjmBIKEvLs97D3
Score1/10 -
-
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Quasar family
-
Quasar payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
-
-
Target
New Text Document mod.exse.zip
-
Size
7KB
-
MD5
a7b1b22096cf2b8b9a0156216871768a
-
SHA1
48acafe87df586a0434459b068d9323d20f904cb
-
SHA256
82fbb67bf03714661b75a49245c8fe42141e7b68dda3f97f765eb1f2e00a89a9
-
SHA512
35b3c89b18135e3aca482b376f5013557db636a332a18c4b43d34d3983e5d070a926c95e40966fafea1d54569b9e3c4ab483eaca81b015724d42db24b5f3805f
-
SSDEEP
192:R5ghioVh+82eei8mXvdTghioVh+82eei8mXvK1B:jHWTHWW
Score1/10 -
-
-
Target
New Text Document mod.exe
-
Size
8KB
-
MD5
69994ff2f00eeca9335ccd502198e05b
-
SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead
-
SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
-
SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
SSDEEP
96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
-
44Caliber family
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Umbral payload
-
Detect Xworm Payload
-
Discordrat family
-
Gurcu family
-
Lumma family
-
Quasar family
-
Quasar payload
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Umbral family
-
Xworm family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
New Text Document mod.exse
-
Size
8KB
-
MD5
69994ff2f00eeca9335ccd502198e05b
-
SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead
-
SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
-
SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
SSDEEP
96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
-
44Caliber family
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Umbral payload
-
Detect Xworm Payload
-
Discordrat family
-
Gurcu family
-
Lumma family
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Umbral family
-
Xworm family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3PowerShell
3Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
6Obfuscated Files or Information
1Command Obfuscation
1Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
5Discovery
Browser Information Discovery
1Process Discovery
1Query Registry
8Remote System Discovery
1System Information Discovery
8System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1Virtualization/Sandbox Evasion
2