Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

lossless scaling.zip

windows11-21h2-x64

10

lossless scaling.iso

windows11-21h2-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    lossless scaling.zip

  • Size

    5.5MB

  • Sample

    250312-l4gr1aylx2

  • MD5

    7cad413146081f6315d82b1dfbebc256

  • SHA1

    5ef84bec1e3b9d5c62a95b08ac133991a1951bf4

  • SHA256

    653c00ae23b0d0001ab2d962daef99c15dbc83b3c676b9f79249ebd757c78d2e

  • SHA512

    e82b5caf11830d2dfef2b8d8c3a5eed116e68ed3f9b4259953155f8474e682bb56b3b7d9e64d8e07b4acf5c22540eb3620a3199e79c161c0eb705ea11179ae74

  • SSDEEP

    98304:Uyf2ZCmbGVSS7jQ3TyQfVp2EhpyZ6DVvpnPqf7waG159wwo2QOWIAeukWahTDCQM:/mUSS7M3TyQfzyZ0dtdm2QbIAeqa5mr5

Score
10/10
asyncratdefaultcollectiondefense_evasiondiscoveryexecutionprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

asyncrat

Version

A 14

Botnet

Default

C2

puka1.work.gd:408

puka1.ddnsfree.com:408

ramdan.mywire.org:408
Mutex

MaterxMutex_Egypt408

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      lossless scaling.zip

    • Size

      5.5MB

    • MD5

      7cad413146081f6315d82b1dfbebc256

    • SHA1

      5ef84bec1e3b9d5c62a95b08ac133991a1951bf4

    • SHA256

      653c00ae23b0d0001ab2d962daef99c15dbc83b3c676b9f79249ebd757c78d2e

    • SHA512

      e82b5caf11830d2dfef2b8d8c3a5eed116e68ed3f9b4259953155f8474e682bb56b3b7d9e64d8e07b4acf5c22540eb3620a3199e79c161c0eb705ea11179ae74

    • SSDEEP

      98304:Uyf2ZCmbGVSS7jQ3TyQfVp2EhpyZ6DVvpnPqf7waG159wwo2QOWIAeukWahTDCQM:/mUSS7M3TyQfzyZ0dtdm2QbIAeqa5mr5

    Score
    10/10
    asyncratdefaultcollectiondefense_evasiondiscoveryexecutionprivilege_escalationratspywarestealertrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      lossless scaling.iso

    • Size

      14.4MB

    • MD5

      46e9759569770db40c6c79e94daf651a

    • SHA1

      f77fff018270806ed77f9c71ee0fa87e8aac5667

    • SHA256

      2bac7f7bf574784293615140b68dd8e3d0b76ea75be410e9136f269d21db6252

    • SHA512

      368b654b84ea71eef3329612165b823bcb5b3cc3797dfa15f004b93b0d046247543ec779e274ce3acbdbc83d2fba7ef0c5e4d06b34588bf4de4b529f17b1a5a5

    • SSDEEP

      98304:w3ow+ZLQNfbs8jsGBVdR5vZjUV+XXoYUZ1ZLQN3bs8jsGBVdR5vZjUV+XXoYUZ:wCQNjs8j9B3v1FXXeQNLs8j9B3v1FXX

    Score
    3/10
    behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

5
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks