Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
New Text Document.exe.zip
-
Size
1KB
-
Sample
250127-2gt2taxpgv
-
MD5
0206983f12db26f622bbe73b165f126f
-
SHA1
e71f9fc602245a337f728e27917b0b716d3828f9
-
SHA256
6b81b36622febc198dbe4596349b7b781cd6b278e9db9145a2de8b14b045e128
-
SHA512
296372c60204ead1709a556001fd2a932e98814d30b42771beb19cc1298f92f3823372a83c1752f49f8073ea238e60f4c5e270a85b6dba2821621e68fd6f5cfc
Static task
static1
Behavioral task
behavioral1
Sample
New Text Document.exe.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
New Text Document.exe.zip
Resource
win10ltsc2021-20250113-en
Malware Config
Extracted
quasar
1.4.1
PrudaBackend
45.131.108.110:4782
8f8e6059-ac4f-4e47-8d62-3ce070083ecf
-
encryption_key
D82EC4913FC5B28DDFF5AC48635D190A9342C6BD
-
install_name
update.exe
-
log_directory
Logs
-
reconnect_delay
2500
-
startup_key
Runtime Broker.exe
Extracted
quasar
1.4.1
powerstealer
192.168.56.1:4782
6760d0e9-9df9-4aba-89be-4e5ce3e92cc8
-
encryption_key
057FCAF700E62ACFECC7338C474084AF9B47ABEB
-
install_name
powerstealer.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
vidar
https://t.me/sc1phell
https://steamcommunity.com/profiles/76561199819539662
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
Extracted
quasar
1.4.1
Office04
100.108.37.105:4444
127.0.0.1:4444
95a85978-c10d-4a09-935b-c02a2a18a609
-
encryption_key
6FDAA03D192B9C03BF83E41A8BBF78996D321E27
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
xworm
45.141.26.234:7000
-
Install_directory
%ProgramData%
-
install_file
Java Update(32bit).exe
Extracted
smokeloader
2017
http://dogewareservice.ru/
Extracted
xworm
3.1
h5HhCg9MKR6vgFJb
-
Install_directory
%AppData%
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/djZsmRNC
Extracted
asyncrat
0.5.7B
System Program
tuna91.duckdns.org:1604
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
system.exe
-
install_folder
%AppData%
Extracted
xworm
5.0
WlO6Om8yfxIARVE4
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/7G6zzQwJ
Extracted
lumma
https://toppyneedus.biz/api
Targets
-
-
Target
New Text Document.exe.zip
-
Size
1KB
-
MD5
0206983f12db26f622bbe73b165f126f
-
SHA1
e71f9fc602245a337f728e27917b0b716d3828f9
-
SHA256
6b81b36622febc198dbe4596349b7b781cd6b278e9db9145a2de8b14b045e128
-
SHA512
296372c60204ead1709a556001fd2a932e98814d30b42771beb19cc1298f92f3823372a83c1752f49f8073ea238e60f4c5e270a85b6dba2821621e68fd6f5cfc
-
Asyncrat family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Detect Vidar Stealer
-
Detect Xworm Payload
-
Lumma family
-
Quasar family
-
Quasar payload
-
Smokeloader family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
UAC bypass
-
Vidar family
-
Xworm family
-
Async RAT payload
-
Adds policy Run key to start application
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
A potential corporate email address has been identified in the URL: [email protected]
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
4Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1