Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

cdnmain/Exela.exe

windows10-ltsc 2021-x64

10

cdnmain/Exela.exe

windows11-21h2-x64

10

Stub.pyc

windows10-ltsc 2021-x64

3

Stub.pyc

windows11-21h2-x64

3

cdnmain/chrome.exe

windows10-ltsc 2021-x64

10

cdnmain/chrome.exe

windows11-21h2-x64

10

cdnmain/cl...st.exe

windows10-ltsc 2021-x64

1

cdnmain/cl...st.exe

windows11-21h2-x64

1

cdnmain/ef.exe

windows10-ltsc 2021-x64

10

cdnmain/ef.exe

windows11-21h2-x64

10

cdnmain/libsodium.dll

windows10-ltsc 2021-x64

1

cdnmain/libsodium.dll

windows11-21h2-x64

1

cdnmain/sqlite3.dll

windows10-ltsc 2021-x64

1

cdnmain/sqlite3.dll

windows11-21h2-x64

1

cdnmain/vc...40.dll

windows10-ltsc 2021-x64

1

cdnmain/vc...40.dll

windows11-21h2-x64

1

cdnmain/verif.exe

windows10-ltsc 2021-x64

1

cdnmain/verif.exe

windows11-21h2-x64

1

Resubmissions

11/03/2025, 16:25

250311-txbamsxq12 10

10/03/2025, 16:59

250310-vhtzwastaz 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive.rar

  • Size

    11.6MB

  • Sample

    250310-vhtzwastaz

  • MD5

    88f853c79f8978c740a39b6ffeafdde3

  • SHA1

    2f142b3c96ef3b8d6b7705055a504fd0d4ed66a1

  • SHA256

    1ab7fef81e4a5325f70a7eb8f1e551edaa6344d16eb1aeca68974d89bb4e40db

  • SHA512

    fb3fc9b6b1e35dc812b2e328c46e177da57649be2679f02fc02addcf1f552aeb2dac5f900b4eb0cfbdfba2c8c378ba340882f9b32a016caedbc87b6c594dce8c

  • SSDEEP

    196608:/q710W0isAdLeCKHnNUdTp5S4OhUIyFaEkFNEDMYaHUgRhBJwYpSOc0VsG:AfdyTHN6pdZIyIXGDMN3jTprZ

Score
10/10
asyncratexelastealerdefaultcollectiondefense_evasiondiscoverypersistenceprivilege_escalationpyinstallerratspywarestealerupx

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

2.58.56.179:2035

Mutex

r4ttlesn4ke_ufog3f8u3egef978

Attributes
  • delay

    1

  • install

    true

  • install_file

    Chrome.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      cdnmain/Exela.exe

    • Size

      10.7MB

    • MD5

      0489da91d3268410bb8d82602e3e8cf0

    • SHA1

      005fd8cfce34f5fc1763cc0aa16e59c39384e9c7

    • SHA256

      ff34ad9f57f38b0c38847235ba4296f5e75da20cda43355b887ab5ccbaaa2cc7

    • SHA512

      23cef165b84a5a105bda73e7c4e123ad4ca55e6f12cb4d4ca520ccb689c9df87a1ab48984b7c139633cbe707c83642701b61535558dccb69e4500d9e506cbc6e

    • SSDEEP

      196608:V3irLJJpeXxzO8tknqkPYCHB6y/+KdWhSELyRdKcIr:JUJeXxz5SfHBRtVF9

    Score
    10/10
    exelastealercollectiondefense_evasiondiscoverypersistenceprivilege_escalationspywarestealerupx

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

      stealerexelastealer

    • Exelastealer family

      exelastealer

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies Windows Firewall

      defense_evasion

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      Stub.pyc

    • Size

      799KB

    • MD5

      5605a3e3ebb0727418f44354843c53b8

    • SHA1

      991ab1a7950376f27d0e13be4156cdc921d128ea

    • SHA256

      71be841e886152241dcd0752b6e72c4e5d177fe649889905cbd51547c0d9e0e2

    • SHA512

      3c8b79529c86c74d398be7704282bdbd1f82b9f65b458f16ca9b02a964f830efe8772189c5b4f30c1a4c209a35522eed658af11b60e2857e45c663d3a64053f8

    • SSDEEP

      24576:xdUK0BvxxQlxhqVCiLYzYtVGTCyw4Tr2sKT:EhlvQrViVATKT

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      cdnmain/chrome.exe

    • Size

      48KB

    • MD5

      560316acf1e4be6ee63f609da37e71b5

    • SHA1

      5f22dcf7736356e24b92397162acb723010914fb

    • SHA256

      44d97fbdb694ca55e3beec4ec031ef5162018bdbaff6a968ac25a21e078511b0

    • SHA512

      38d185d48cf537162ef8302df31cdf723d7407765f21284492345cae914d38ec9e3a6cfee0080b5ff9ebef29f7ac54a505ea2e6fea5d65a60c4e6e1e67fb3361

    • SSDEEP

      768:+BUQgNIL4+M0+LiPLKjwiT8Ybrge09FvEgK/Jw8Vc6KN:+B1gjsPLKTzbUxznkJw8VclN

    Score
    10/10
    asyncratdefaultrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Async RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral5behavioral6

    • Target

      cdnmain/cloudflare_whitelist.exe

    • Size

      371KB

    • MD5

      413edd6588c2ee8ba41daad8b96e1a76

    • SHA1

      a58a01a183af99c57a0019093cd24f2c2a88c222

    • SHA256

      5c214b2fbf24154ab23870ffe97b0a31d47b9093e4ad4a003652a62ffafa6a74

    • SHA512

      a45c1cc176a6ea535923f478412dd35404877eac815d4471831b8fda2c0d4a699d1e25fc28614e9b63bd8faa09c5ca2c11cc543b0037667a9c97b1fa13b08db8

    • SSDEEP

      6144:+29A+Dxtpj5Lsc5lITKPam1HuqqrcAENm2DhPtXlL4CA:U+jpj5Lsc5liKPlHuPcqk1Bl9A

    Score
    1/10
    behavioral7behavioral8

    • Target

      cdnmain/ef.exe

    • Size

      54KB

    • MD5

      0ed9406036832e40f6ace06478acdf44

    • SHA1

      9a3ca883ec34bdfd1c21c61c6ca6d03c5365fa6e

    • SHA256

      452e3305df1bf06c79301b9b87de1ec82561a793c4ef4ea5a02803123891b9f6

    • SHA512

      9de32c71a4657d3e9ebd01fd1d933fd44b23c99809bbd0c8c423dcf8436d8c3f81e390ec34df8fb2e5a3a28974c864750ceaeb65693c04b1c5a1f8134eca69a5

    • SSDEEP

      1536:de/mS9oEXN9p7aNJahXy4zGuH4XlqJaAIT+7bqhyX9qZ:d+mSawsLawqGMolq07i7bqMX9W

    Score
    10/10
    asyncratdefaultrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Async RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral10behavioral9

    • Target

      cdnmain/libsodium.dll

    • Size

      341KB

    • MD5

      638fdeedeb1dfc9ba4f7c4d7a96b9559

    • SHA1

      3ec89ef6cab0904c0f3a0122cf715b7cc2855956

    • SHA256

      011e5b5b576fe13b4c11a8358fc81d4c70a6a5163c0be97b4113ffde133cf0cb

    • SHA512

      2b31f05ac56d071ba1555d0a387b0fed74341a8a6324ab53ce8a4dfafa1b72e6b2aedb98997c9a7490b9fd072e46ba1e95ae85150c2f1bfdd6882f87e7edc2f8

    • SSDEEP

      6144:slXmrwctsNRxhBY36OW16GLAJYDV50DErM5Q0N:gm/t6YqOfoAJJD95

    Score
    1/10
    behavioral11behavioral12

    • Target

      cdnmain/sqlite3.dll

    • Size

      1.0MB

    • MD5

      abd499b6a9fe8fca0eec593ae58cdc29

    • SHA1

      40b6dca224ea6aced518f884612abf71aea769a7

    • SHA256

      cc4b95f75d37b642e3bc89e57b50df40519ed9ee7e3b45eb2b061ca6a63b221d

    • SHA512

      b5d5b84e16a99824cadcc25649ee39cd0728380adeacb93d75365bf37367002fc741b286754c0c9173a0b27bc8d1d77e2ba7c6979c2592756bec6c08696b1479

    • SSDEEP

      24576:ScO/Q+Ph+9Xxh05eUMgNZGUUrH/0TmjpnUVfSz:JYQXVUMubm9UVS

    Score
    1/10
    behavioral13behavioral14

    • Target

      cdnmain/vcruntime140.dll

    • Size

      117KB

    • MD5

      943fc74c2e39fe803d828ccfa7e62409

    • SHA1

      4e55d591111316027ae4402dfdfcf8815d541727

    • SHA256

      da72e6677bd1bcd01c453c1998aaa19aeaf6659f4774cf6848409da8232a95b2

    • SHA512

      96e9f32e89aee6faea6e5a3edc411f467f13b35ee42dd6f071723daeba57f611dbd4ff2735be26bb94223b5ec4ee1dffedf8dc744b936c32a27d17b471e37dcf

    • SSDEEP

      1536:R9TXF5YXWbj8qr51XlN+dULTCe1IGhKWyxLiyaXYaWEoecbdhUoTtHez9FazR:REnsvReGsWyxLizXFCecbd1Tt+i1

    Score
    1/10
    behavioral15behavioral16

    • Target

      cdnmain/verif.exe

    • Size

      370KB

    • MD5

      f105bc03c77337cc5997829bf5738a20

    • SHA1

      a8e71ae8d86c520ebfc6b465078692afc0592e9c

    • SHA256

      861f877efa744885c9d19b9de3489ed18b725ab5cf02a73bd3af9d50b950dd7c

    • SHA512

      96a539ed4944713b921879c5a0bed1a2f021f4fa0a2b27b52d3c3ae2ae4ed403bf0e2c39fac52445bb530cd093e7262f61ff6edbffe529c554b8e1565d4d70aa

    • SSDEEP

      6144:nc5iCjosvwX1+pxU5wl5GzspvblKHf9cFSo4XM:ejrvwX1+HQwlTpvQH1eSX

    Score
    1/10
    behavioral17behavioral18

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Network Service Discovery

1
T1046

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Process Discovery

1
T1057

Query Registry

3
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

System Network Connections Discovery

1
T1049

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks