Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

New folder...la.exe

windows7-x64

4

New folder...la.exe

windows10-2004-x64

4

MaterialDe...rs.dll

windows7-x64

1

MaterialDe...rs.dll

windows10-2004-x64

1

MaterialDe...pf.dll

windows7-x64

1

MaterialDe...pf.dll

windows10-2004-x64

1

Microsoft....re.dll

windows7-x64

1

Microsoft....re.dll

windows10-2004-x64

1

SharpSteam.dll

windows7-x64

1

SharpSteam.dll

windows10-2004-x64

1

System.Man...on.dll

windows7-x64

1

System.Man...on.dll

windows10-2004-x64

1

UWPHook.exe

windows7-x64

3

UWPHook.exe

windows10-2004-x64

3

VDFParser.dll

windows7-x64

1

VDFParser.dll

windows10-2004-x64

1

New folder...c.meow

windows7-x64

3

New folder...c.meow

windows10-2004-x64

3

New folder...er.exe

windows7-x64

7

New folder...er.exe

windows10-2004-x64

7

New folder...ye.exe

windows7-x64

10

New folder...ye.exe

windows10-2004-x64

10

New folder/Mantas.exe

windows7-x64

6

New folder/Mantas.exe

windows10-2004-x64

6

New folder...re.exe

windows7-x64

1

New folder...re.exe

windows10-2004-x64

1

New folder...AT.exe

windows7-x64

10

New folder...AT.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    af8a19443518dd4b892c8080ea61b6d87674c73faf1f8f4061d025eec3999649.zip

  • Size

    3.4MB

  • Sample

    250304-dsgzmaymx2

  • MD5

    7c7df277d04b8fd41501a3679c5e5fac

  • SHA1

    638cafa51d2feb43dea3533f9fa9c74926e27fa9

  • SHA256

    af8a19443518dd4b892c8080ea61b6d87674c73faf1f8f4061d025eec3999649

  • SHA512

    3a11eb6109128ee1d402e26ff98de822f8e76a5286c19da18b6481af00849c0a94004b41595d4330d5dff8a65e9316dd02b3da2ba16fa43c8f0785caff968bb2

  • SSDEEP

    98304:tjpLX5eripJhpQwa3GNkPXPFgYK82sTrPtcBNtY:tjNX5etEuKYR2cr1QNK

Score
10/10
chimerarevengeratguestdiscoverypersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Targets

    • Target

      New folder/AgentTesla.exe.meow

    • Size

      2.8MB

    • MD5

      cce284cab135d9c0a2a64a7caec09107

    • SHA1

      e4b8f4b6cab18b9748f83e9fffd275ef5276199e

    • SHA256

      18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

    • SHA512

      c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

    • SSDEEP

      49152:4HEHIHP6z9goDKncJkYgCB7UODoQvjZMElnp0zGMPokHz5xZtYgxsdexHwNbUMb:ZdRFBmnQ7rjZMYSzGbkHzXxWeu6W

    Score
    4/10
    discovery
    behavioral1behavioral2

    • Target

      MaterialDesignColors.dll

    • Size

      292KB

    • MD5

      39367419516f5f3df9ab1f9e5d0bbcd5

    • SHA1

      762c9acdb09bfdf40e700645131999202abbc871

    • SHA256

      976eea4567656d536a6344b3834f958f2b9e27401b94c643681770437d5abc68

    • SHA512

      20ea8a64a14579ef5403eae8a6345afa0f9b12229fdb8bc869f7a8cdd4e785093b9f60f9445be738266a161d75f53a8b8e42a69b2f9b4cbf4684f5dbf5113ae9

    • SSDEEP

      1536:2ZJb/nKyGMbYrE4jKg4J4A+0MDR1TU7fKoVxbYCCMIRFxcE5istk0uWE1Ci4oggj:2DDrYrE6oJU907fKoVxb+Y

    Score
    1/10
    behavioral3behavioral4

    • Target

      MaterialDesignThemes.Wpf.dll

    • Size

      7.1MB

    • MD5

      fbd761926164043ac71ee9b83ab37fd1

    • SHA1

      38d44b0f40fa31124ba139adeb6f7adc7e53ee19

    • SHA256

      013a42b8c6ffa29e2198eed4faf6168247b6550a4c4ed5d82023a1d82a08e27e

    • SHA512

      c2a0be2d8b5b98dc19ad167aadc1e68905ad259e3b0e020cfb95a8a816964549c98a9c5bc44b8f4640147bfd8555e799216b8dba13bf0eefed9582782da552d2

    • SSDEEP

      98304:OXJDntBksKY+ND3WyA4+TLVei10vMzPv8/4C8B5XVS49Xzy83IiEcJMrCR2fShTf:onJ45/9iD54+V11bFv4z

    Score
    1/10
    behavioral5behavioral6

    • Target

      Microsoft.Management.Infrastructure.dll

    • Size

      36KB

    • MD5

      3998804194188c25df75f505ac5c531a

    • SHA1

      6b15b2d779e7c46e31fcc864fc1ef326fb3d2b50

    • SHA256

      cbec9a910488cadbad860c850ceae521a2a346619c5a9da579e5051e270f114c

    • SHA512

      d7cd7457c753190fd1ae5386a62dffbe5907ace02227ef873f4c890f4a4e987914fb94ab1ec8318f48a76fc55cfe8e7de83b75cfcbec0bb8ff0e18d2d956abdc

    • SSDEEP

      768:droEzop6gC66+666M66666+vvvvvvvvvvvvvF66666K66n6666666666ZpkLEyXD:nNLEyXCL

    Score
    1/10
    behavioral7behavioral8

    • Target

      SharpSteam.dll

    • Size

      5KB

    • MD5

      aa6d1a798829536972ac5ba7d01d0c77

    • SHA1

      8ec399faa7c428e9962f116b2baf6efca636e8c8

    • SHA256

      74a89211b2a1bcf84796785fb93647ac6a1e5efbb2bbd14ddcee2e50c15153a4

    • SHA512

      a937d3840bd6102c321ebaa06e01bda575d383aa152c1c0bfc8faa870109a7672a9957c50a6a259ecf481b47450df1814d7d152334e396780fe15760281be870

    • SSDEEP

      48:6O/89d6LfKuNpIoijbm2EjW6NINM/OMeZSCo1bumqMzxSu4tM/klXWRO6uFF:0uNpI7j6jWyPgysCcl8

    Score
    1/10
    behavioral10behavioral9

    • Target

      System.Management.Automation.dll

    • Size

      352KB

    • MD5

      835e9ede7e7c774e7a2d56cfdf6e9b17

    • SHA1

      a43ed886b68c6ee913da85df9ad2064f1d81c470

    • SHA256

      c3a5868584a777422cebcf31d6718fd2b26d5e2314d3b5ba6d8e47aa40faba0c

    • SHA512

      74284fd44497beb74326d11a0f63d96aff20aa44cfa8385f6b63b7e6743403c36e2ea4fb0d991767117a97d320e04d2b21f0a4730916244af4ffdaf51e834a26

    • SSDEEP

      3072:d/SDqTIE+QQVVBCTmAG17iT+Lt8D/1L2iLZdrs81sDotEKjRmarzRm+5gSBZqoEJ:d/PXS6WK2iLZdgotEKj9rzRmkgSBAot

    Score
    1/10
    behavioral11behavioral12

    • Target

      UWPHook.exe

    • Size

      831KB

    • MD5

      9aa4929291eff01d727b9fb88bba080c

    • SHA1

      820321cd5e8fbf81db43f024e93ee190811b8906

    • SHA256

      d55baebe14b8e68afd44227d3ae7307fa07dbbdd91331b892edde93fd027ca6e

    • SHA512

      b52e18c3c8f4f30479c974e4c19e00cacdb850df6e631aeed553cbfee77703e664136385ff7a6b38c90ddf18e0c29a08c51264ad7696c5d8278b8876d3b7fe1f

    • SSDEEP

      12288:O4IH5S68xqbLLjo9LfPw3ytl8dSkc6ZubYpE0EjcUBS4BJ:O35R8xf143yte6epEdjcUBzBJ

    Score
    3/10
    discovery
    behavioral13behavioral14

    • Target

      VDFParser.dll

    • Size

      15KB

    • MD5

      17351a51f020d8352c3d8144bf89ab40

    • SHA1

      80a46c4dd6be71f789183daaa6677629654ebe68

    • SHA256

      503804161cd8ff82756292f6d4d24107e6c8ac4cf43df89378f7b5d3782cc2ad

    • SHA512

      ab5b16f296d787a72fed58bcb00e1295a543d4fb5eff00cb82c065fe336d18a572884003e2b519f5d4880546ce592aa9d903ad096a7d78dedf5f72b76034c983

    • SSDEEP

      384:GEI1akrMmNix7WLptEEEEEEEEEEEEEEEEEEEDl/hJOhE75MuODENhtN:lyMvWLptEEEEEEEEEEEEEEEEEEE5JwaJ

    Score
    1/10
    behavioral15behavioral16

    • Target

      New folder/Emotet.doc.meow

    • Size

      139KB

    • MD5

      b92021ca10aed3046fc3be5ac1c2a094

    • SHA1

      0fb1ad5b53cdd09a7268c823ec796a6e623f086f

    • SHA256

      c378387344e0a552dc065de6bfa607fd26e0b5c569751c79fbf9c6f2e91c9807

    • SHA512

      bbeb5cfd7c5a890456b0805234a9ae325abc4a08dbad70b4ed1b3635dee4470a1f86869d5532809cecb595b9a89708f378921d733bd061aef693bfc5ee77ebb4

    • SSDEEP

      3072:/Msknok2er/yR5DpQKajNDu1CkBwN0pqJfWSq:zkoRoKDpQZqQkmN0scR

    Score
    3/10
    discovery
    behavioral17behavioral18

    • Target

      New folder/FreeYoutubeDownloader.exe.meow

    • Size

      396KB

    • MD5

      13f4b868603cf0dd6c32702d1bd858c9

    • SHA1

      a595ab75e134f5616679be5f11deefdfaae1de15

    • SHA256

      cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7

    • SHA512

      e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24

    • SSDEEP

      12288:jANwRo+mv8QD4+0V16nkFkkk2kyW9EArjaccoH0qzh4:jAT8QE+kHW9EAr+fr4i

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral19behavioral20

    • Target

      New folder/HawkEye.exe.meow

    • Size

      232KB

    • MD5

      60fabd1a2509b59831876d5e2aa71a6b

    • SHA1

      8b91f3c4f721cb04cc4974fc91056f397ae78faa

    • SHA256

      1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

    • SHA512

      3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a

    • SSDEEP

      3072:BMhIBKH7j7DzQi7y5bvl4YAbdY9KWvwn7XHMzqEOf64CEEl64HBVdGXPKD:BMh5H7j5g54YZKXoxOuEEl64HZAi

    Score
    10/10
    chimeradiscoveryransomwarespywarestealer

    • Chimera

      Ransomware which infects local and network files, often distributed via Dropbox links.

      ransomwarechimera

    • Chimera Ransomware Loader DLL

      Drops/unpacks executable file which resembles Chimera's Loader.dll.

      ransomware

    • Chimera family

      chimera

    • Renames multiple (1992) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral21behavioral22

    • Target

      New folder/Mantas.exe.meow

    • Size

      40KB

    • MD5

      53f25f98742c5114eec23c6487af624c

    • SHA1

      671af46401450d6ed9c0904402391640a1bddcc2

    • SHA256

      7b5dec6a48ee2114c3056f4ccb6935f3e7418ef0b0bc4a58931f2c80fc94d705

    • SHA512

      f460775308b34552c930c3f256cef1069b28421673d71e3fa2712b0467485861a98285925ae49f1adea1faf59265b964c873c12a3bb5de216122ac20084e1048

    • SSDEEP

      768:rz4RBkfbi/FG9Of8Ejex0a6zALVlXt32KtYFPYA3HxAnIIGSEsu:4Ciw9a8EG05zMt3jKYA3xAYns

    Score
    6/10
    discoverypersistenceupx

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral23behavioral24

    • Target

      New folder/Meoware.exe.meow

    • Size

      244KB

    • MD5

      86349691dac930f52bd797a44b18dd00

    • SHA1

      452e3feaf0aa4ea3df0b520c42def39d56b0e6a1

    • SHA256

      77898bbfd090997263a450e0daa35593b5a295b464e53053fb68a84cad8d0927

    • SHA512

      952b12f983b441eb483edf8b8a248859495898176a8470d5bbd88672157407f2e47ff60301dff808d1c430c8d16d166f51b60635043721d1d0ecab195379e577

    • SSDEEP

      3072:+FeSgiY5JN7vY7n3KAJ3GHo27yMP0ZJm1sxLip940gW8TClAf5rB6:K/ghU7aAJ3GHN8694TnTvBB6

    Score
    1/10
    behavioral25behavioral26

    • Target

      New folder/RevengeRAT.exe.meow

    • Size

      4.0MB

    • MD5

      1d9045870dbd31e2e399a4e8ecd9302f

    • SHA1

      7857c1ebfd1b37756d106027ed03121d8e7887cf

    • SHA256

      9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

    • SHA512

      9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

    • SSDEEP

      1536:SGZiTHzreu+4SHYEJicHHkxcPiwlJ6BjQaJ7ehgQpmnp3bDBq+AD3tSYxV:Z8AHxicHEuP5l/aJ7ehgiYDk9SYz

    Score
    10/10
    revengeratguestdiscoverypersistencestealertrojan

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • Revengerat family

      revengerat

    • RevengeRat Executable

      stealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

upxstealerguestrevengerat
Score
10/10

behavioral1

discovery
Score
4/10

behavioral2

discovery
Score
4/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

discovery
Score
3/10

behavioral18

Score
3/10

behavioral19

discoverypersistence
Score
7/10

behavioral20

discoverypersistence
Score
7/10

behavioral21

chimeradiscoveryransomwarespywarestealer
Score
10/10

behavioral22

chimeradiscoveryransomwarespywarestealer
Score
10/10

behavioral23

discoverypersistenceupx
Score
6/10

behavioral24

discoverypersistenceupx
Score
6/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

revengeratguestdiscoverypersistencestealertrojan
Score
10/10

behavioral28

revengeratguestdiscoverypersistencestealertrojan
Score
10/10