Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10Pass 8864/...on.exe
windows10-ltsc 2021-x64
10Pass 8864/...on.exe
windows10-2004-x64
10Pass 8864/...re.dll
windows11-21h2-x64
1Pass 8864/...re.dll
windows10-2004-x64
1Pass 8864/...ms.dll
windows10-2004-x64
1Pass 8864/...ms.dll
windows10-2004-x64
1Pass 8864/...pf.dll
windows10-2004-x64
1Pass 8864/...pf.dll
windows10-2004-x64
1Pass 8864/...on.dll
windows11-21h2-x64
1Pass 8864/...on.dll
windows10-2004-x64
1Pass 8864/...is.dll
windows10-2004-x64
1Pass 8864/...is.dll
windows10-2004-x64
1Pass 8864/...4l.exe
windows10-2004-x64
1Pass 8864/...4l.exe
windows10-2004-x64
1Pass 8864/...it.bat
windows10-2004-x64
1Pass 8864/...it.bat
windows10-2004-x64
1Pass 8864/...ge.bat
windows11-21h2-x64
1Pass 8864/...ge.bat
windows10-2004-x64
1Pass 8864/...er.dll
windows10-2004-x64
1Pass 8864/...er.dll
windows10-2004-x64
1General
-
Target
Pass 8864.zip
-
Size
4.7MB
-
Sample
241226-wf87fstjcz
-
MD5
0178e791918b66c56ac8359005ebb979
-
SHA1
bcc3b8045526f713e8ccefaa1050ab8fdaf53a45
-
SHA256
2592ac7a76bc435a210d3646794abf0a654937d0ce6553ebc14982480a169433
-
SHA512
1dd950696d69a59fc944d8a809390dc352a13338e0e5cf81e1e274b0e04c6858cb877cb4da2c358329e017f9e2b33981611e806075cb3e1f8e3149b47a6d1bde
-
SSDEEP
98304:RlBiFzdYGiwC+zNIfwvilltOrnmeZ0ARLuq6ZIfPHUXeH4gdkYlfnCeK60Usv:RI/ir2vr6CuF1X2Rdk4hKI4
Behavioral task
behavioral1
Sample
Pass 8864/Argon/Argon.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral2
Sample
Pass 8864/Argon/Argon.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Pass 8864/Argon/Microsoft.Web.WebView2.Core.dll
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
Pass 8864/Argon/Microsoft.Web.WebView2.Core.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Pass 8864/Argon/Microsoft.Web.WebView2.WinForms.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
Pass 8864/Argon/Microsoft.Web.WebView2.WinForms.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Pass 8864/Argon/Microsoft.Web.WebView2.Wpf.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
Pass 8864/Argon/Microsoft.Web.WebView2.Wpf.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Pass 8864/Argon/Newtonsoft.Json.dll
Resource
win11-20241007-en
Behavioral task
behavioral10
Sample
Pass 8864/Argon/Newtonsoft.Json.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Pass 8864/Argon/bin/Atlantis.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
Pass 8864/Argon/bin/Atlantis.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Pass 8864/Argon/bin/oRniz4vtL94l.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
Pass 8864/Argon/bin/oRniz4vtL94l.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Pass 8864/Argon/fix exploit.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
Pass 8864/Argon/fix exploit.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
Pass 8864/Argon/message.bat
Resource
win11-20241007-en
Behavioral task
behavioral18
Sample
Pass 8864/Argon/message.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Pass 8864/Argon/runtimes/win-x64/native/WebView2Loader.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
Pass 8864/Argon/runtimes/win-x64/native/WebView2Loader.dll
Resource
win10v2004-20241007-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1320456077468368906/F7rw766V_H8a2Z__0yhCNo12vx-Ia2NeCg2Ds_H44T5Cf5iiyVYLb09YSN1sfOYJwp1p
Targets
-
-
Target
Pass 8864/Argon/Argon.exe
-
Size
229KB
-
MD5
0141daae60d7dd08a86fc4789cfb3689
-
SHA1
791d4a8f158313d355fad6dafa158407e80581bf
-
SHA256
d22b7b3b76496cda8bcad31dce4b2b3ab5ed3b91926d744982e492e5b39cf296
-
SHA512
74255f2cbb6345b4aefd7822587ca9503da2e49d41bb4306eca4e6ef96293b0f1c7e3173c8eb27aac54c1b0abebb8306d0e1d4b9aa824b153a8cd563a6640f9c
-
SSDEEP
6144:FloZM0rIkd8g+EtXHkv/iD4+2S86YXzQUp8aLLyuOb8e1msi8i:HoZDL+EP8+2S86YXzQUp8aLLylA
-
Detect Umbral payload
-
Umbral family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
Pass 8864/Argon/Microsoft.Web.WebView2.Core.dll
-
Size
589KB
-
MD5
a53ba26a25f78f512cb2f393f9c96463
-
SHA1
4176d5607859817a0b44a253c34f7edb3a46f21e
-
SHA256
88a3b62f45225a811cdb85df6dfd95c2bff9a0e43e3b04f813b125eaca56cc9f
-
SHA512
df1cd812fce4a46cae7f4d59256a12732367d16981b01f1067d58966d6612ae102eaa274fc3c9ac21aeb0422cf09ac1232fbe2b74d1daf6c76489f6e8de16751
-
SSDEEP
12288:WrCyR/rpQ322fy+uFKcDmuRFNEMzeu+imQ269pRFZNIEJdIEY0lxEIPrEIgcvLc6:Va7
Score1/10 -
-
-
Target
Pass 8864/Argon/Microsoft.Web.WebView2.WinForms.dll
-
Size
37KB
-
MD5
92acec9aed00f134ba86a0f7c496f26c
-
SHA1
3cd10e0afdd7955716a83d5f5d59859c6f7c7353
-
SHA256
29fc954c3fde1749817d158f3dd5ebe9efd3b3ce9708d86092fb1e9f023a1cb0
-
SHA512
4e11772afa9282c2f5f2565b0e908102fc8d0a08c40ca57587c338698e9ab747ff5a1673d32b6cd09d7b22b0e6c2836f1324ec8257e5223754595160a4c28ad2
-
SSDEEP
768:umgRNRbnIfWuJCRfXBkrQYZDgcEST3p4Jjrjh2jeFSUyauTv1JKia5/Zi/WG4KgL:XQR20BUQYZDgcEST3p4JjrjaeFSUyauO
Score1/10 -
-
-
Target
Pass 8864/Argon/Microsoft.Web.WebView2.Wpf.dll
-
Size
81KB
-
MD5
b98c511e0f75434a66d9bf0efd1795db
-
SHA1
515c6c1627775ce5149b410f4b19a2f25b41b2a8
-
SHA256
1c5b6c792916d168093ef9b836f33e818d2d15d0c81f0864b5cddff97d913319
-
SHA512
73fc64485db816be0bf135c7740ee916836c3bf03caabb85a1be7c5b3a4862cc1caa4975944cfd670f1cc2d90ae7c305cbea3dd9f27633244c51e5efcbaed2cd
-
SSDEEP
1536:jmJUzMJcumSzTIudfRz+Ohsha87Y1DHfFWyEb30mpc4Jjr4YeUqRHhwU0fdwzvUe:YUzMJNzTIudB+Oh0a8+DHfFC30mpc4JY
Score1/10 -
-
-
Target
Pass 8864/Argon/Newtonsoft.Json.dll
-
Size
695KB
-
MD5
195ffb7167db3219b217c4fd439eedd6
-
SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8
-
SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
-
SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
-
SSDEEP
12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/
Score1/10 -
-
-
Target
Pass 8864/Argon/bin/Atlantis.dll
-
Size
6.0MB
-
MD5
cbf096a7133c07f1a19efde61c1aca13
-
SHA1
55e3f5a470101a291f992a24d2e370ba15b039ca
-
SHA256
00243e13c5a23ceaa06618d2770a320038bd24a69d0252dcca09e74b5d6a0013
-
SHA512
d9f5d9a34e86502fee87df15b13069284cf5fc7375e9d3c73011ee290e5dbfec0b137e93593f1b4227c0707df6255a4e2bc569325289735137eb07183abc58b3
-
SSDEEP
98304:8j+/n7qBMK1BhXDn3nmDDyJa84v2aZoEmcLo3:aon1K1BhXDn3mDDyJa84v2aZtJLa
Score1/10 -
-
-
Target
Pass 8864/Argon/bin/oRniz4vtL94l.exe
-
Size
4.1MB
-
MD5
cd2cf251993d02bba6c82ceef9771dd8
-
SHA1
e9695d027a4babf1a3d5c2b900d69d1213dd160e
-
SHA256
8241f49cd516cc727a9f24a56c9fcca5d14fab162d00a17514e662238043178a
-
SHA512
b5ffaf85f09451bef239ba7fd11361368e0750b9c9aa6b29f6450acd3a079ccb9f5a5045c0115268f731c4e82888867925f67c466626cd84d5a350b7ee3e7687
-
SSDEEP
49152:rvVwASOvGtlqkbXPySBQnGkKX2M1m/RbtcJrzVX68TsgdVMuQni+e3d5RPPezNdx:KfySBQnGkKX2/pafVXIgml6tqq+b1
Score1/10 -
-
-
Target
Pass 8864/Argon/fix exploit.bat
-
Size
1KB
-
MD5
5289fa561dcb8647582896af6528671a
-
SHA1
fda5871c543e9986194aa7c027aad8206d9bbe4a
-
SHA256
762048396be01b02e2fb949f4276179732da23799cfb715600e333d7597475bc
-
SHA512
f8e90026dce457483ef7a5f5341bfb54a16432457e1139b5d8f4a6d18374e05668e7e4f1248dba0ed23ce036261803094b295493eac03fcb56859d5c3fe7b679
Score1/10 -
-
-
Target
Pass 8864/Argon/message.bat
-
Size
356B
-
MD5
c76645f1baab3397fc8ea7200d3bb908
-
SHA1
1a5b47e2ba0cbe028cf20d5d949db616c9b18788
-
SHA256
17165f9adf2601664b8f6fdbf87749f46fe53c1eccdb9a1e2fad4f46ab8dd967
-
SHA512
1c422db62279267536fbd615f90bd2648f238599e1a7063834de23e11c7219cf176df0be671cfb7f08a9d7f52a387fb936ae3e2e85446156284fdce422300c7f
Score1/10 -
-
-
Target
Pass 8864/Argon/runtimes/win-x64/native/WebView2Loader.dll
-
Size
162KB
-
MD5
c9a5d0f278d57d83a03404b8baeeac64
-
SHA1
39d44b999c1d89c36136804a373d4d427bc7d679
-
SHA256
462b36fd1be6ca9f7563466a89e57c41ef4a4def3e0a84fa885d203aea4a3aaf
-
SHA512
97dfb08eae34624b7679a4bb07dee242b2a38324dc13b8aaec6de7f6fed477e9f9bc7474d4df9fbe907d1a460723db7177b7128a26edf5bd73d38d4d45722db6
-
SSDEEP
3072:fXAne8TlTRTSpL1ThTNTRyMDjRb/hy75HGRtVBviiZsZ5AalCPTxiEtJx9eg8Xjm:/yTlTRTUL1ThTNTRyeLq1GRtVBvPZsrw
Score1/10 -