Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    run.ps1

  • Size

    43B

  • Sample

    250107-fwrz4swjgx

  • MD5

    cefc1c3285ecac3a02ccbc8e0cebb558

  • SHA1

    7c2b049342ccd09474fcf8306c28c7d162c6d9b1

  • SHA256

    95cd2e94c29d862fd16c2cc19b0916784cf9ab2b93c7b9d816d34fe22ee239f7

  • SHA512

    b4a4dd60d8518e7629c6e5674d4cf185f7ce250f73dcfe110433d19933f2572bb814e54f234709a8d045f7c37a75298a36d537406c4002e4c0bb626c90eb22fc

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://simplerwebs.space/anrek.mp4

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://klipdiheqoe.shop/ruwkl.png

Extracted

Language
hta
Source
URLs
hta.dropper

https://simplerwebs.space/anrek.mp4

Extracted

Family

lumma

C2

https://grooveoiy.cyou/api

Targets

    • Target

      run.ps1

    • Size

      43B

    • MD5

      cefc1c3285ecac3a02ccbc8e0cebb558

    • SHA1

      7c2b049342ccd09474fcf8306c28c7d162c6d9b1

    • SHA256

      95cd2e94c29d862fd16c2cc19b0916784cf9ab2b93c7b9d816d34fe22ee239f7

    • SHA512

      b4a4dd60d8518e7629c6e5674d4cf185f7ce250f73dcfe110433d19933f2572bb814e54f234709a8d045f7c37a75298a36d537406c4002e4c0bb626c90eb22fc

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks