Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

4363463463...63.exe

windows11-21h2-x64

Resubmissions

10/01/2025, 00:42 UTC

250110-a2rcwawlcz 8

08/01/2025, 13:31 UTC

250108-qsdnes1qb1 10

17/12/2024, 13:35 UTC

241217-qv6rzs1nhp 10

15/11/2024, 19:06 UTC

241115-xr6q5szdnf 10

14/11/2024, 23:35 UTC

241114-3lfknavfqg 10

14/11/2024, 23:26 UTC

241114-3eysnavfje 10

14/11/2024, 23:12 UTC

241114-26znlavdqq 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4363463463464363463463463.exe

  • Size

    10KB

  • Sample

    241217-qv6rzs1nhp

  • MD5

    2a94f3960c58c6e70826495f76d00b85

  • SHA1

    e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

  • SHA256

    2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

  • SHA512

    fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

  • SSDEEP

    192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score
10/10
amadeyasyncratdharmaphorphiexquasarredlinestealcvidarxmrigxworm1176f2defaulteewxlinelivetrafficlogslogsdilleroffice04testvoov3credential_accessdefense_evasiondiscoveryevasionexecutionexploitimpactinfostealerloaderminerpersistenceprivilege_escalationpyinstallerransomwareratspywarestealerthemidatrojanupxworm

Malware Config

Extracted

Family

xworm

C2

rondtimes.top:1940

crazyrdp.africa:7000
Attributes
  • Install_directory

    %Userprofile%

  • install_file

    Windows.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.181.84:4782

testinghigger-42471.portmap.host:42471
Mutex

1ed20179-691a-4881-806d-c5d12340d8e9

Attributes
  • encryption_key

    DF9BFB10D9C47294CB84A29DC07B28AE843D8C6F

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

stealc

Botnet

Line

C2

http://154.216.17.90

Attributes
  • url_path

    /a48146f6763ef3af.php

Extracted

Family

stealc

Botnet

LogsDiller

C2

http://185.235.128.145

Attributes
  • url_path

    /b86b4c54b3438806.php

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

85.198.108.36:7667

Mutex

egghlcckqridunl

Attributes
  • delay

    6

  • install

    false

  • install_folder

    %Temp%

aes.plain
1
atkmeF2gXUOsYPgVoLqi2dqVYQvmk6ym

Extracted

Family

redline

Botnet

eewx

C2

185.81.68.147:1912

Extracted

Family

amadey

Version

4.41

Botnet

1176f2

C2

http://185.215.113.19

Attributes
  • install_dir

    417fd29867

  • install_file

    ednfoki.exe

  • strings_key

    183201dc3defc4394182b4bff63c4065

  • url_paths

    /CoreOPT/index.php

rc4.plain
1
c1ec479e5342a25940592acf24703eb2

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

1.tcp.ap.ngrok.io:21049

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    chrome.exe

  • install_folder

    %AppData%

aes.plain
1
z73jd7syMXPLlpjC3iCXcffkpKF3SwAn

Extracted

Family

redline

Botnet

LiveTraffic

C2

95.179.250.45:26212

Extracted

Family

stealc

Botnet

Voov3

C2

http://154.216.17.90

Attributes
  • url_path

    /a48146f6763ef3af.php

Extracted

Family

redline

Botnet

Logs

C2

185.215.113.9:9137

Extracted

Family

quasar

Version

1.4.1

Botnet

Test

C2

193.161.193.99:35184

67.205.154.243:35184
Mutex

9cabbafb-503b-49f1-ab22-adc756455c10

Attributes
  • encryption_key

    8B93C77AC1C58EA80A3327E9FD26246A79EF3B8E

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    MS Build Tools

  • subdirectory

    Microsoft-Build-Tools

Targets

    • Target

      4363463463464363463463463.exe

    • Size

      10KB

    • MD5

      2a94f3960c58c6e70826495f76d00b85

    • SHA1

      e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

    • SHA256

      2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

    • SHA512

      fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

    • SSDEEP

      192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

    Score
    10/10
    amadeyasyncratdharmaphorphiexquasarredlinestealcvidarxmrigxworm1176f2defaulteewxlinelivetrafficlogslogsdilleroffice04testvoov3credential_accessdefense_evasiondiscoveryevasionexecutionexploitimpactinfostealerloaderminerpersistenceprivilege_escalationpyinstallerransomwareratspywarestealerthemidatrojanupxworm

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Amadey family

      amadey

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect Vidar Stealer

      stealer

    • Detect Xworm Payload

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Dharma family

      dharma

    • Modifies WinLogon for persistence

      persistence

    • Phorphiex family

      phorphiex

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

      wormtrojanloaderphorphiex

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Stealc family

      stealc

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Xmrig family

      xmrig

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Async RAT payload

      rat

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VirtualBox drivers on disk

      evasion

    • Renames multiple (593) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • XMRig Miner payload

      miner

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Looks for VMWare Tools registry key

      evasion

    • Looks for VMWare drivers on disk

      evasion

    • Possible privilege escalation attempt

      exploit

    • Stops running service(s)

      evasionexecution

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

      defense_evasion

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Enumerates processes with tasklist

      discovery

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

JavaScript

1
T1059.007

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

2
T1569

Service Execution

2
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Power Settings

1
T1653

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Direct Volume Access

1
T1006

File and Directory Permissions Modification

2
T1222

Windows File and Directory Permissions Modification

1
T1222.001

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

5
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

5
T1497

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

6
T1552

Credentials In Files

5
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Browser Information Discovery

1
T1217

File and Directory Discovery

2
T1083

Process Discovery

1
T1057

Query Registry

7
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Virtualization/Sandbox Evasion

5
T1497

Lateral Movement

Collection

Data from Local System

5
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Service Stop

1
T1489

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.