Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

tax.url

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    infected.zip

  • Size

    305B

  • Sample

    250220-w7h5casja1

  • MD5

    2f924641c603cebaf3643254c0f5fb0c

  • SHA1

    3987572548b2cf9011f7b37c18bfa6a37921c112

  • SHA256

    e865c11a09f20f23f2e4db2f432bae3d9c504e76f4c6211a761152bb8e58c2ba

  • SHA512

    38ddaafa6ca34d60dfb1923e69a997995582f67bb08d604549e3872391c1d3d32e12c1e9a32b5498817f9b50f7e8aae25bc8e5695ddf7211a0f848ffb26f17d6

Score
10/10
asyncratstealeriumxwormdefaultcollectiondiscoveryexecutionpersistenceprivilege_escalationratstealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

62.60.190.196:8000

Mutex

9Kl9naWliCNlyild

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

62.60.190.196:3232

62.60.190.141:3232
Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

62.60.190.141:4056

Mutex

fagpetngyrfkiki

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      tax.url

    • Size

      164B

    • MD5

      723aac9b3e0f882ec7b82dff9baddcf5

    • SHA1

      52b2dc535388d53584d2d71ab07a81c07b9ed88e

    • SHA256

      66144c2c65f050cb23aae78416d596aa411aea6bdaec123b998061b9059661b9

    • SHA512

      db169bcf3ee28196ac7a02024aaf15419036f305a84a8581297a4df3736b6af6536e98ec64e17ab2b6149eb062a181505afade4a78c3b30b629d92c3d3a85760

    Score
    10/10
    asyncratstealeriumxwormdefaultcollectiondiscoveryexecutionpersistenceprivilege_escalationratstealertrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect Xworm Payload

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

      stealerstealerium

    • Stealerium family

      stealerium

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks