Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

4363463463...63.exe

windows10-ltsc 2021-x64

Resubmissions

17/01/2025, 15:11 UTC

250117-sk4kzssrhv 10

17/01/2025, 15:09 UTC

250117-sjgd3asrbs 10

17/01/2025, 15:07 UTC

250117-shlbmasqgv 10

17/01/2025, 14:27 UTC

250117-rsndas1pgx 10

16/01/2025, 17:37 UTC

250116-v7e71s1ncy 10

16/01/2025, 17:30 UTC

250116-v27eba1lew 10

16/01/2025, 17:29 UTC

250116-v232ws1let 3

16/01/2025, 17:29 UTC

250116-v21lrs1ldz 3

16/01/2025, 17:27 UTC

250116-v1g32a1qfk 10

16/01/2025, 09:47 UTC

250116-lsajjsvrgn 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4363463463464363463463463.exe.zip

  • Size

    4KB

  • Sample

    250116-v7e71s1ncy

  • MD5

    7b2b0ccc6317a6becadaf5e02311202e

  • SHA1

    ccad99b8fad61369101e068f0c3a5bec9cfa309f

  • SHA256

    bd948aeb2b607b34e8d32f22b9e5aee402057adebae4a2e0c70bd666e688f1f8

  • SHA512

    b7af04ee0792d2a13ffd7013e7c5f98cf037f06f8597e4f3261af04252137483ff7fcb7db28c60a543f130ac65307cd1c7a831c2267fa78a91f9acdcc535744a

  • SSDEEP

    96:ALOzCoGgabugh2Yu8fjMIsSv3JGHUrD5gf2jxkS7xQIKWV7YNgGptaT+YaL:ALObGgabf88jgcxR1NWIXWgGpo74

Score
10/10
asyncratdcratdharmagurcuquasarumbralxwormdefaultofficeoffice04svhosttargetdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistenceprivilege_escalationpyinstallerransomwareratspywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Target

C2

127.0.0.1:6070

affasdqa.ddns.net:6070

haffasdqa.duckdns.org:6070
Mutex

670d21b7-71ed-4958-9ba7-a58fa54d8203

Attributes
  • encryption_key

    25B2622CE0635F9A273AB61B1B7D7B94220AC509

  • install_name

    svhoste.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svhoste

  • subdirectory

    SubDir

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

172.204.136.22:1604

18.ip.gl.ply.gg:6606

18.ip.gl.ply.gg:7707

18.ip.gl.ply.gg:8808

18.ip.gl.ply.gg:9028

0.tcp.in.ngrok.io:10147
Mutex

ghbyTnUySCmF

Attributes
  • delay

    3

  • install

    false

  • install_file

    RoyalKing.exe

  • install_folder

    %AppData%

aes.plain
1
nQVju43nhoV1o1b7ftIdvuSTnV9RJ1sP
aes.plain
1
HGwF1qxitL7zd2Tfjwxu09zDAchQ1YIw
aes.plain
1
ieO5QOaoT8gQ66VAQi5VAhN8FoTlyJio

Extracted

Family

asyncrat

Botnet

Default

C2

technical-southwest.gl.at.ply.gg:58694

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
BaRw1jGgjSFrPCwhNQpE5eHvIaDB7Aex

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

havocc.ddns.net:4782

testinghigger-42471.portmap.host:42471

Extazz24535-22930.portmap.host:22930

192.168.68.104:4782

interestingsigma.hopto.org:20

14.243.221.170:2654

104.251.123.245:23600
Mutex

6a533ca9-c745-463c-8bba-b6aaa9eb7fab

Attributes
  • encryption_key

    CB213225C623A8CB39D3E1628CD4D7E7D686A7F3

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Discord

  • subdirectory

    SubDir

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

3.70.228.168:555

Mutex

bslxturcmlpmyqrv

Attributes
  • delay

    1

  • install

    true

  • install_file

    atat.exe

  • install_folder

    %AppData%

aes.plain
1
Lcx8OBGkaWAeTyc3i22GJufFSfJIvzKg

Extracted

Family

xworm

C2

127.0.0.1:6000

103.211.201.109:6000

127.0.0.1:48990

147.185.221.22:48990
Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • telegram

    https://api.telegram.org/bot7929370892:AAGwrX5TeyxQidZdAEm_Z6-CDvPUOQzVY1M

Extracted

Family

quasar

Version

1.4.0

Botnet

svhost

C2

151.177.61.79:4782

Mutex

a148a6d8-1253-4e62-bc5f-c0242dd62e69

Attributes
  • encryption_key

    5BEC1A8BC6F8F695D1337C51454E0B7F3A4FE968

  • install_name

    svhost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svhost

  • subdirectory

    svhost

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

C2

82.117.243.110:5173

Mutex

yfsS9ida0wX8mgpdJC

Attributes
  • encryption_key

    KDNBgA8jiBeGX1rj1dDt

  • install_name

    csrss.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    NET framework

  • subdirectory

    SubDir

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7673498966:AAE8RwQQVWIce7zc1tvOHxg7_EravC7Vqis/sendDocument?chat_id=621271611

https://api.telegram.org/bot7929370892:AAGwrX5TeyxQidZdAEm_Z6-CDvPUOQzVY1M/sendMessage?chat_id=-4579594388

Targets

    • Target

      4363463463464363463463463.exe.bin

    • Size

      10KB

    • MD5

      2a94f3960c58c6e70826495f76d00b85

    • SHA1

      e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

    • SHA256

      2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

    • SHA512

      fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

    • SSDEEP

      192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

    Score
    10/10
    asyncratdcratdharmagurcuquasarumbralxwormdefaultofficeoffice04svhosttargetdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistenceprivilege_escalationpyinstallerransomwareratspywarestealertrojanupxvmprotect

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Detect Umbral payload

    • Detect Xworm Payload

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Dharma family

      dharma

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Umbral family

      umbral

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Async RAT payload

      rat

    • DCRat payload

      rat

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (446) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasionexecution

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Direct Volume Access

1
T1006

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

Remote System Discovery

1
T1018

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Service Stop

1
T1489

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.