Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

09/02/2025, 17:26

250209-vzvbzaxpck 10

09/02/2025, 17:22

250209-vxjsfsxqh1 10

09/02/2025, 16:34

250209-t3jtzawper 10

09/02/2025, 16:32

250209-t15nnaxjfv 8

27/01/2025, 22:33

250127-2gt2taxpgv 10

27/01/2025, 22:28

250127-2d6lfaxnhy 10

27/01/2025, 22:21

250127-19myjaxmew 10

General

  • Target

    New Text Document.exe.zip

  • Size

    1KB

  • Sample

    250127-2gt2taxpgv

  • MD5

    0206983f12db26f622bbe73b165f126f

  • SHA1

    e71f9fc602245a337f728e27917b0b716d3828f9

  • SHA256

    6b81b36622febc198dbe4596349b7b781cd6b278e9db9145a2de8b14b045e128

  • SHA512

    296372c60204ead1709a556001fd2a932e98814d30b42771beb19cc1298f92f3823372a83c1752f49f8073ea238e60f4c5e270a85b6dba2821621e68fd6f5cfc

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

PrudaBackend

C2

45.131.108.110:4782

Mutex

8f8e6059-ac4f-4e47-8d62-3ce070083ecf

Attributes
  • encryption_key

    D82EC4913FC5B28DDFF5AC48635D190A9342C6BD

  • install_name

    update.exe

  • log_directory

    Logs

  • reconnect_delay

    2500

  • startup_key

    Runtime Broker.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

powerstealer

C2

192.168.56.1:4782

Mutex

6760d0e9-9df9-4aba-89be-4e5ce3e92cc8

Attributes
  • encryption_key

    057FCAF700E62ACFECC7338C474084AF9B47ABEB

  • install_name

    powerstealer.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

vidar

C2

https://t.me/sc1phell

https://steamcommunity.com/profiles/76561199819539662

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

100.108.37.105:4444

127.0.0.1:4444

Mutex

95a85978-c10d-4a09-935b-c02a2a18a609

Attributes
  • encryption_key

    6FDAA03D192B9C03BF83E41A8BBF78996D321E27

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

xworm

C2

45.141.26.234:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Java Update(32bit).exe

Extracted

Family

smokeloader

Version

2017

C2

http://dogewareservice.ru/

Extracted

Family

xworm

Version

3.1

Mutex

h5HhCg9MKR6vgFJb

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/djZsmRNC

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

System Program

C2

tuna91.duckdns.org:1604

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    system.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

Mutex

WlO6Om8yfxIARVE4

Attributes
  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/7G6zzQwJ

aes.plain

Extracted

Family

lumma

C2

https://toppyneedus.biz/api

Targets

    • Target

      New Text Document.exe.zip

    • Size

      1KB

    • MD5

      0206983f12db26f622bbe73b165f126f

    • SHA1

      e71f9fc602245a337f728e27917b0b716d3828f9

    • SHA256

      6b81b36622febc198dbe4596349b7b781cd6b278e9db9145a2de8b14b045e128

    • SHA512

      296372c60204ead1709a556001fd2a932e98814d30b42771beb19cc1298f92f3823372a83c1752f49f8073ea238e60f4c5e270a85b6dba2821621e68fd6f5cfc

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Detect Vidar Stealer

    • Detect Xworm Payload

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Smokeloader family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Async RAT payload

    • Adds policy Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • A potential corporate email address has been identified in the URL: [email protected]

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks