Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

loader_prod.exe

windows7-x64

7

loader_prod.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    loader_prod.exe

  • Size

    20.7MB

  • Sample

    250314-1fby6sztfy

  • MD5

    87de1d182d3540a364412dbe8d8e6bba

  • SHA1

    69c9e8ee556f3563668ca17aafb56f2875bcb524

  • SHA256

    60e8bd0c2321279578cf429f2227ffd2fc1ed45f4b8bf9697d755d746f5ba1c4

  • SHA512

    1c88c268bdc9a4b5106e03b90a18dfd8202a3597527bcaab710886e9a922ecac5c3c44af930a57c81a2ad4aa24ec2e28290a5a46244553475335af2a2897f17f

  • SSDEEP

    393216:6WtM3GWaxlJuU/J3xmgiX3292YMJwF+lxismXsOwSUMtfKwQaZ12:71zlJnlxmV3292fSkxismXlpfnQC

Score
10/10
asyncratquasarstormkittyvenomrateuleneulenv3collectiondefense_evasiondiscoveryevasionpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

EulenV3

Mutex

deqnqxomfjhy

Attributes
  • delay

    1

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/KnhCGRrn

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Eulen

C2

kakamakasaka.duckdns.org:4782

Mutex

2979d7ad-e7c4-4aea-8e66-03f4b15f5f04

Attributes
  • encryption_key

    0E160FE515EFABA10C6407B1ADCA2222E4408D62

  • install_name

    AggregatorHost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Realtek HD Audio Driver

  • subdirectory

    Host

Targets

    • Target

      loader_prod.exe

    • Size

      20.7MB

    • MD5

      87de1d182d3540a364412dbe8d8e6bba

    • SHA1

      69c9e8ee556f3563668ca17aafb56f2875bcb524

    • SHA256

      60e8bd0c2321279578cf429f2227ffd2fc1ed45f4b8bf9697d755d746f5ba1c4

    • SHA512

      1c88c268bdc9a4b5106e03b90a18dfd8202a3597527bcaab710886e9a922ecac5c3c44af930a57c81a2ad4aa24ec2e28290a5a46244553475335af2a2897f17f

    • SSDEEP

      393216:6WtM3GWaxlJuU/J3xmgiX3292YMJwF+lxismXsOwSUMtfKwQaZ12:71zlJnlxmV3292fSkxismXlpfnQC

    Score
    10/10
    asyncratquasarstormkittyvenomrateuleneulenv3collectiondefense_evasiondiscoveryevasionpersistenceprivilege_escalationratspywarestealertrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender DisableAntiSpyware settings

      evasiontrojan

    • Modifies Windows Defender notification settings

      defense_evasiontrojan

    • Modifies security service

      defense_evasion

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • VenomRAT

      Detects VenomRAT.

      rat

    • Venomrat family

      venomrat

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

5
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

4
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks