Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

26BSU_random.exe

windows7-x64

10

26BSU_random.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/02/2025, 16:25 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26BSU_random.exe

  • Size

    6.3MB

  • MD5

    368e676306818d9266f0d4948e0eb541

  • SHA1

    4d67aef52ca4ff56130990bd789ba99887e8094f

  • SHA256

    3bf45d9e1a4948475d8770f14d50fcf227eb60484f892fab04896e95c16fe8ac

  • SHA512

    d9f0f7ce266411e3493d1c617d6d322beeed05704cd30689cd3e4f95c7f3d47ec2ab0704c17094a94dc4b2059bbd088df77751ed782d3aac06893319bd650d16

  • SSDEEP

    98304:yuDuKIqCMOWkhl9mPIiyZlpVbawv+MqdEjDYPVakdiNV2:5DuK7XOWXDyZlbVoVasiG

Score
10/10
cryptbotdefense_evasiondiscoveryspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

http://home.fivejj5sr.top/fWukggcxTlVTnBnJjsCp17

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Cryptbot family
    cryptbot
  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
    defense_evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    defense_evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26BSU_random.exe
    "C:\Users\Admin\AppData\Local\Temp\26BSU_random.exe"
    1⤵
    • Enumerates VirtualBox registry keys
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2512

Network

  • flag-us
    DNS
    httpbin.org
    26BSU_random.exe
    Remote address:
    8.8.8.8:53
    Request
    httpbin.org
    IN A
    Response
  • flag-us
    DNS
    httpbin.org
    26BSU_random.exe
    Remote address:
    8.8.8.8:53
    Request
    httpbin.org
    IN AAAA
    Response
    httpbin.org
    IN A
    3.214.119.249
    httpbin.org
    IN A
    3.208.239.150
  • flag-us
    DNS
    home.fivejj5sr.top
    26BSU_random.exe
    Remote address:
    8.8.8.8:53
    Request
    home.fivejj5sr.top
    IN A
    Response
  • flag-us
    DNS
    home.fivejj5sr.top
    26BSU_random.exe
    Remote address:
    8.8.8.8:53
    Request
    home.fivejj5sr.top
    IN AAAA
    Response
    home.fivejj5sr.top
    IN A
    166.1.36.226
  • flag-de
    POST
    http://home.fivejj5sr.top/fWukggcxTlVTnBnJjsCp1739361436
    26BSU_random.exe
    Remote address:
    166.1.36.226:80
    Request
    POST /fWukggcxTlVTnBnJjsCp1739361436 HTTP/1.1
    Host: home.fivejj5sr.top
    Accept: */*
    Content-Type: application/json
    Content-Length: 412293
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.22.1
    Date: Sat, 15 Feb 2025 16:25:41 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 26
    Connection: close
  • flag-us
    DNS
    home.fivejj5sr.top
    26BSU_random.exe
    Remote address:
    8.8.8.8:53
    Request
    home.fivejj5sr.top
    IN A
    Response
  • flag-us
    DNS
    home.fivejj5sr.top
    26BSU_random.exe
    Remote address:
    8.8.8.8:53
    Request
    home.fivejj5sr.top
    IN AAAA
    Response
    home.fivejj5sr.top
    IN A
    166.1.36.226
  • flag-us
    DNS
    home.fivejj5sr.top
    26BSU_random.exe
    Remote address:
    8.8.8.8:53
    Request
    home.fivejj5sr.top
    IN A
  • flag-us
    DNS
    home.fivejj5sr.top
    26BSU_random.exe
    Remote address:
    8.8.8.8:53
    Request
    home.fivejj5sr.top
    IN AAAA
  • flag-us
    DNS
    home.fivejj5sr.top
    26BSU_random.exe
    Remote address:
    8.8.8.8:53
    Request
    home.fivejj5sr.top
    IN AAAA
  • flag-us
    DNS
    home.fivejj5sr.top
    26BSU_random.exe
    Remote address:
    8.8.8.8:53
    Request
    home.fivejj5sr.top
    IN A
  • flag-de
    GET
    http://home.fivejj5sr.top/fWukggcxTlVTnBnJjsCp1739361436?argument=U1c3hdmrASvUl3se1739636741
    26BSU_random.exe
    Remote address:
    166.1.36.226:80
    Request
    GET /fWukggcxTlVTnBnJjsCp1739361436?argument=U1c3hdmrASvUl3se1739636741 HTTP/1.1
    Host: home.fivejj5sr.top
    Accept: */*
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.22.1
    Date: Sat, 15 Feb 2025 16:25:47 GMT
    Content-Type: application/octet-stream
    Content-Length: 10816560
    Connection: close
    Content-Disposition: attachment; filename="6PIXBUMmVxNatdwYrD;"
    Last-Modified: Wed, 12 Feb 2025 11:57:16 GMT
    Cache-Control: no-cache
    ETag: "1739361436.3012471-10816560-3136887048"
  • flag-us
    DNS
    home.fivejj5sr.top
    26BSU_random.exe
    Remote address:
    8.8.8.8:53
    Request
    home.fivejj5sr.top
    IN A
    Response
    home.fivejj5sr.top
    IN A
    166.1.36.226
  • flag-us
    DNS
    home.fivejj5sr.top
    26BSU_random.exe
    Remote address:
    8.8.8.8:53
    Request
    home.fivejj5sr.top
    IN AAAA
    Response
  • flag-de
    GET
    http://home.fivejj5sr.top/fWukggcxTlVTnBnJjsCp1739361436?argument=U1c3hdmrASvUl3se1739636741
    26BSU_random.exe
    Remote address:
    166.1.36.226:80
    Request
    GET /fWukggcxTlVTnBnJjsCp1739361436?argument=U1c3hdmrASvUl3se1739636741 HTTP/1.1
    Host: home.fivejj5sr.top
    Accept: */*
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.22.1
    Date: Sat, 15 Feb 2025 16:27:58 GMT
    Content-Type: application/octet-stream
    Content-Length: 10816560
    Connection: close
    Content-Disposition: attachment; filename="6PIXBUMmVxNatdwYrD;"
    Last-Modified: Wed, 12 Feb 2025 11:57:16 GMT
    Cache-Control: no-cache
    ETag: "1739361436.3012471-10816560-3136887048"
  • 3.214.119.249:443
    httpbin.org
    tls
    26BSU_random.exe
    1.6kB
     6.4kB
     15
    14
  • 166.1.36.226:80
    http://home.fivejj5sr.top/fWukggcxTlVTnBnJjsCp1739361436
    http
    26BSU_random.exe
    501.8kB
     10.4kB
     368
    226

    HTTP Request

    POST http://home.fivejj5sr.top/fWukggcxTlVTnBnJjsCp1739361436

    HTTP Response

    200
  • 166.1.36.226:80
    http://home.fivejj5sr.top/fWukggcxTlVTnBnJjsCp1739361436?argument=U1c3hdmrASvUl3se1739636741
    http
    26BSU_random.exe
    110.4kB
     4.8MB
     2234
    3458

    HTTP Request

    GET http://home.fivejj5sr.top/fWukggcxTlVTnBnJjsCp1739361436?argument=U1c3hdmrASvUl3se1739636741

    HTTP Response

    200
  • 166.1.36.226:80
    http://home.fivejj5sr.top/fWukggcxTlVTnBnJjsCp1739361436?argument=U1c3hdmrASvUl3se1739636741
    http
    26BSU_random.exe
    23.2kB
     1.1MB
     476
    761

    HTTP Request

    GET http://home.fivejj5sr.top/fWukggcxTlVTnBnJjsCp1739361436?argument=U1c3hdmrASvUl3se1739636741

    HTTP Response

    200
  • 8.8.8.8:53
    httpbin.org
    dns
    26BSU_random.exe
    160 B
     250 B
     2
    2

    DNS Request

    httpbin.org

    DNS Request

    httpbin.org

    DNS Response

    3.214.119.249
    3.208.239.150

  • 8.8.8.8:53
    home.fivejj5sr.top
    dns
    26BSU_random.exe
    174 B
     226 B
     2
    2

    DNS Request

    home.fivejj5sr.top

    DNS Request

    home.fivejj5sr.top

    DNS Response

    166.1.36.226

  • 8.8.8.8:53
    home.fivejj5sr.top
    dns
    26BSU_random.exe
    510 B
     226 B
     6
    2

    DNS Request

    home.fivejj5sr.top

    DNS Request

    home.fivejj5sr.top

    DNS Request

    home.fivejj5sr.top

    DNS Request

    home.fivejj5sr.top

    DNS Request

    home.fivejj5sr.top

    DNS Request

    home.fivejj5sr.top

    DNS Response

    166.1.36.226

  • 8.8.8.8:53
    home.fivejj5sr.top
    dns
    26BSU_random.exe
    174 B
     226 B
     2
    2

    DNS Request

    home.fivejj5sr.top

    DNS Request

    home.fivejj5sr.top

    DNS Response

    166.1.36.226

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2512-0-0x00000000010F0000-0x0000000001E15000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2512-1-0x0000000077230000-0x0000000077232000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2512-2-0x00000000010F1000-0x000000000138B000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2512-3-0x00000000010F0000-0x0000000001E15000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2512-4-0x00000000010F0000-0x0000000001E15000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2512-5-0x00000000010F0000-0x0000000001E15000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2512-6-0x00000000010F0000-0x0000000001E15000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2512-7-0x00000000010F0000-0x0000000001E15000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2512-8-0x00000000010F0000-0x0000000001E15000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2512-9-0x00000000010F0000-0x0000000001E15000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2512-10-0x00000000010F0000-0x0000000001E15000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2512-11-0x00000000010F0000-0x0000000001E15000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2512-12-0x00000000010F0000-0x0000000001E15000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2512-13-0x00000000010F0000-0x0000000001E15000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2512-14-0x00000000010F0000-0x0000000001E15000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2512-15-0x00000000010F0000-0x0000000001E15000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2512-16-0x00000000010F0000-0x0000000001E15000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2512-17-0x00000000010F0000-0x0000000001E15000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2512-18-0x00000000010F0000-0x0000000001E15000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2512-19-0x00000000010F0000-0x0000000001E15000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2512-20-0x00000000010F0000-0x0000000001E15000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2512-21-0x00000000010F0000-0x0000000001E15000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2512-22-0x00000000010F0000-0x0000000001E15000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2512-23-0x00000000010F0000-0x0000000001E15000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2512-24-0x00000000010F0000-0x0000000001E15000-memory.dmp

    Filesize

    13.1MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.