Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

4363463463...63.exe

windows7-x64

10

4363463463...63.exe

windows10-2004-x64

10

New Text D...od.exe

windows7-x64

10

New Text D...od.exe

windows10-2004-x64

10

New Text D...od.exe

windows7-x64

10

New Text D...od.exe

windows10-2004-x64

10

Resubmissions

27/02/2025, 06:33 UTC

250227-hbn4tszmx7 10

26/02/2025, 23:57 UTC

250226-3zn4ysxwc1 10

26/02/2025, 23:14 UTC

250226-271x2sxmz9 10

14/02/2025, 01:10 UTC

250214-bjsnnayne1 10

14/02/2025, 01:00 UTC

250214-bc5pmsymhw 10

13/02/2025, 05:01 UTC

250213-fnkwtstpgw 10

13/02/2025, 04:24 UTC

250213-e1kk6atmaz 10

13/02/2025, 04:08 UTC

250213-eqe8patkgx 8

12/02/2025, 23:56 UTC

250212-3yzt3azrdx 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Downloaders.zip

  • Size

    12KB

  • Sample

    250227-hbn4tszmx7

  • MD5

    94fe78dc42e3403d06477f995770733c

  • SHA1

    ea6ba4a14bab2a976d62ea7ddd4940ec90560586

  • SHA256

    16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

  • SHA512

    add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff

  • SSDEEP

    384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Score
10/10
asyncratdiscordratlummaphorphiexquasarvidarvipkeyloggerxwormdefaultdomainir7amoffice04zjebcollectioncredential_accessdefense_evasiondiscoveryexecutionkeyloggerloaderpersistenceprivilege_escalationratrootkitspywarestealertrojanworm

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

C2

VIPEEK1990-25013.portmap.host:25013

Mutex

ebef1e3c-805b-4b1a-aa24-bf4dcab44476

Attributes
  • encryption_key

    3EBA8BC34FA983893A9B07B831E7CEB183F7492D

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Security Service

  • subdirectory

    SubDir

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

2.tcp.eu.ngrok.io:19695

Mutex

gonq3XlXWgiz

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
NqgX4cCmmE903Zi62xsKnekCElA9CS4M

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.1.77:4782

Mutex

e819f327-90a2-4d90-a826-8b38a9c4f3d5

Attributes
  • encryption_key

    EFEBD005E03B8B8669985D9A167E2BEF9FFCA477

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

xworm

C2

147.185.221.22:47930

127.0.0.1:47930
Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMxNTQxMDg0NDg3NTQ4OTI4MA.Gx5ptK.HY1OYsjGMP1MsOoyD2E7T9pCvkfHTdOPozmb_c

  • server_id

    1315411300192616569

Extracted

Family

xworm

Version

5.0

C2

185.7.214.108:4411

185.7.214.54:4411
aes.plain
1
HXDK90FdcxS8oxc7FoYRUw==
aes.plain
1
np2l93BNgdiUH8xzHZsVWA==

Extracted

Family

vipkeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.jhxkgroup.online
  • Port:
    587
  • Username:
    logs2@jhxkgroup.online
  • Password:
    7213575aceACE@@
  • Email To:
    log2@jhxkgroup.online

Extracted

Family

lumma

C2

https://paleboreei.biz/api

Extracted

Family

asyncrat

Version

Esco Private rat

Botnet

Default

C2

196.251.88.53:4449

Mutex

voodynqjploelta

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
bjKfso9vqOfBYjVoJ28HgdAF3NhS1ng9

Extracted

Family

vidar

Botnet

ir7am

C2

https://t.me/l793oy

https://steamcommunity.com/profiles/76561199829660832
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Domain

C2

jojo.ath.cx:1414

Mutex

AsyncMutex_7SI8OkPne

Attributes
  • delay

    3

  • install

    false

  • install_file

    dllscv.exe

  • install_folder

    %AppData%

aes.plain
1
T7Adi3Jnc86CP1KVXUt4k5Ebe2ZotBR8

Targets

    • Target

      4363463463464363463463463.exe

    • Size

      10KB

    • MD5

      2a94f3960c58c6e70826495f76d00b85

    • SHA1

      e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

    • SHA256

      2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

    • SHA512

      fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

    • SSDEEP

      192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

    Score
    10/10
    asyncratphorphiexquasarxwormdefaultoffice04zjebdiscoveryloaderpersistenceratspywarestealertrojanwormdiscordratdefense_evasionexecutionprivilege_escalationrootkit

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect Xworm Payload

    • Discord RAT

      A RAT written in C# using Discord as a C2.

      stealerrootkitratpersistencediscordrat

    • Discordrat family

      discordrat

    • Phorphiex family

      phorphiex

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

      wormtrojanloaderphorphiex

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • UAC bypass

      defense_evasiontrojan

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Downloads MZ/PE file

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      New Text Document mod.exe

    • Size

      8KB

    • MD5

      69994ff2f00eeca9335ccd502198e05b

    • SHA1

      b13a15a5bea65b711b835ce8eccd2a699a99cead

    • SHA256

      2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

    • SHA512

      ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

    • SSDEEP

      96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

    Score
    10/10
    lummavipkeyloggerxwormcollectiondefense_evasiondiscoveryexecutionkeyloggerpersistenceprivilege_escalationratspywarestealertrojanasyncratvidardefaultdomainir7amcredential_access

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect Vidar Stealer

      stealer

    • Detect Xworm Payload

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Vipkeylogger family

      vipkeylogger

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Async RAT payload

      rat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Modifies Windows Firewall

      defense_evasion

    • Sets service image path in registry

      persistence

    • Stops running service(s)

      defense_evasionexecution

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      New Text Document mod.exse

    • Size

      8KB

    • MD5

      69994ff2f00eeca9335ccd502198e05b

    • SHA1

      b13a15a5bea65b711b835ce8eccd2a699a99cead

    • SHA256

      2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

    • SHA512

      ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

    • SSDEEP

      96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

    Score
    10/10
    lummavidarvipkeyloggerxwormir7amcollectioncredential_accessdefense_evasiondiscoveryexecutionkeyloggerpersistenceprivilege_escalationratspywarestealertrojanasyncratdefault

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect Vidar Stealer

      stealer

    • Detect Xworm Payload

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Vipkeylogger family

      vipkeylogger

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Async RAT payload

      rat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

3
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Boot or Logon Autostart Execution

3
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

3
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Netsh Helper DLL

1
T1546.007

Modify Authentication Process

1
T1556

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Boot or Logon Autostart Execution

3
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

3
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Authentication Process

1
T1556

Modify Registry

5
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

5
T1552

Credentials In Files

5
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

9
T1012

Remote System Discovery

1
T1018

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks

static1

Score
3/10

behavioral1

asyncratphorphiexquasarxwormdefaultoffice04zjebdiscoveryloaderpersistenceratspywarestealertrojanworm
Score
10/10

behavioral2

discordratxwormdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationratrootkitstealertrojan
Score
10/10

behavioral3

lummavipkeyloggerxwormcollectiondefense_evasiondiscoveryexecutionkeyloggerpersistenceprivilege_escalationratspywarestealertrojan
Score
10/10

behavioral4

asyncratlummavidarvipkeyloggerxwormdefaultdomainir7amcollectioncredential_accessdefense_evasiondiscoveryexecutionkeyloggerpersistenceprivilege_escalationratspywarestealertrojan
Score
10/10

behavioral5

lummavidarvipkeyloggerxwormir7amcollectioncredential_accessdefense_evasiondiscoveryexecutionkeyloggerpersistenceprivilege_escalationratspywarestealertrojan
Score
10/10

behavioral6

asyncratlummavidarvipkeyloggerxwormdefaultir7amcollectioncredential_accessdefense_evasiondiscoveryexecutionkeyloggerpersistenceprivilege_escalationratspywarestealertrojan
Score
10/10

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.