Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

e05bb1093f...3e.exe

windows7-x64

10

e05bb1093f...3e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e05bb1093fc6e48f0092aa1925080612b07b78b3e4232844b6bd455b9561083e

  • Size

    993KB

  • Sample

    250203-gqem9ssmev

  • MD5

    3a3c88a6665e33e283c9a42cba74bb2c

  • SHA1

    617bb1632b6d70ff39bb8c907bb9998aa4bae87e

  • SHA256

    e05bb1093fc6e48f0092aa1925080612b07b78b3e4232844b6bd455b9561083e

  • SHA512

    9f97ab6ffd3b020d5159778e1284d8dc58128530e7eae6784583c312121ea60b11ece86e71426a038b532cb0f7c58e8d2a2863ba9a99525ee17ed9e57c4afe88

  • SSDEEP

    24576:y/Xj1RPW7Dw/EgpozVIBOb2L9D+7TFzULvD+9s0EqkJGtVxJ:y/zu7Dw/RoRHLJzEX0EhJGt

Score
10/10
loaderbotxmrigdefense_evasiondiscoveryminerpersistence

Malware Config

Extracted

Family

loaderbot

C2

http://vilitus.beget.tech/cmd.php

Targets

    • Target

      e05bb1093fc6e48f0092aa1925080612b07b78b3e4232844b6bd455b9561083e

    • Size

      993KB

    • MD5

      3a3c88a6665e33e283c9a42cba74bb2c

    • SHA1

      617bb1632b6d70ff39bb8c907bb9998aa4bae87e

    • SHA256

      e05bb1093fc6e48f0092aa1925080612b07b78b3e4232844b6bd455b9561083e

    • SHA512

      9f97ab6ffd3b020d5159778e1284d8dc58128530e7eae6784583c312121ea60b11ece86e71426a038b532cb0f7c58e8d2a2863ba9a99525ee17ed9e57c4afe88

    • SSDEEP

      24576:y/Xj1RPW7Dw/EgpozVIBOb2L9D+7TFzULvD+9s0EqkJGtVxJ:y/zu7Dw/RoRHLJzEX0EhJGt

    Score
    10/10
    xmrigdefense_evasiondiscoveryminerpersistence

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • XMRig Miner payload

      miner

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Cryptocurrency Miner

      Makes network request to known mining pool URL.

      miner

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks