Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
14/03/2025, 13:03
250314-qacneavkv5 10General
-
Target
VIRUSES.zip
-
Size
67.2MB
-
Sample
250314-qacneavkv5
-
MD5
85282ad593314f89f12c427a8b6190d6
-
SHA1
a4b3231c832a19318e489c2d4b95ee65ed9f7501
-
SHA256
d9b33203556fafab59ac2a86ffc481da83dab9a29293639098cefd15fd686628
-
SHA512
faa175c1a1f0c2301db17250f8ccc8122247cafcae4a0b9e606ce73c7f8292e549aadc19fe84545ffe7b4e8ca0006bd92c244cee2c9e2b1c3823caef9c32e769
-
SSDEEP
1572864:RRju5peIneG9ahEuBzFrd8LxSeJ1xo5FON+K8a2:LEeInVMDpFx8LxSeDxo54EPa2
Malware Config
Extracted
quasar
1.4.1
CleanerV2
192.168.4.185:4782
1607a026-352e-4041-bc1f-757dd6cd2e95
-
encryption_key
73BCD6A075C4505333DE1EDC77C7242196AF9552
-
install_name
Client.exe
-
log_directory
Clean
-
reconnect_delay
3000
-
startup_key
CleanerV2
-
subdirectory
SubDir
Extracted
lumma
https://mrodularmall.top/api
https://featureccus.shop/api
https://jowinjoinery.icu/api
https://flegenassedk.top/api
https://-htardwarehu.icu/api
https://cjlaspcorne.icu/api
https://bugildbett.top/api
https://latchclan.shop/api
Targets
-
-
Target
CleanerV2.exe
-
Size
3.1MB
-
MD5
e6aeb08ae65e312d03f1092df3ba422c
-
SHA1
f0a4cbe24646ad6bd75869ecc8991fd3a7b55e62
-
SHA256
74fc53844845b75a441d394b74932caa7c7ad583e091ec0521c78ebad718100e
-
SHA512
5cce681c2bfea2924516abab84028ebbd78194a4a9a83f9cfdcebdf88aba9e799b1e9ca859a0c68a2438c1c6b605120fc5f192db205173b36237512623514284
-
SSDEEP
49152:Cvht62XlaSFNWPjljiFa2RoUYIDURJ6XbR3LoGdG6THHB72eh2NT:CvL62XlaSFNWPjljiFXRoUYIDURJ6p
Score10/10-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Executes dropped EXE
-
-
-
Target
InstallSetup.exe
-
Size
383KB
-
MD5
18bc0a0e4aab55b86cd1f41476829918
-
SHA1
977bd945d4f4a763f36cbcc703029340327d4f40
-
SHA256
c5a145def78019e54b7f092ff967d25687b4955ec176ce53eab5916d954427be
-
SHA512
ca5206d805bfccfea6a8ed55911792d12df23fb185dadcb4d3d3a87943f1457d74045f4e611e2e73631c53b6bf10c4d6ef2e38e30686436ccead2fdf1bf72b68
-
SSDEEP
6144:yjIjZkWXdi1sWAQLYplIZlQ/WvuaentzFIkJLgJUQjyOxyAOzG+RaJs6GN1l:yjIjdiO8clZWeVF9JLgizc+ILk
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Motrix-1.8.19-x64.exe
-
Size
62.7MB
-
MD5
d2a5030989d5c48ce575840ff8bf524d
-
SHA1
36785cf3ee20fd2f93da941f43e77b57f20f3c6f
-
SHA256
79b5847ee6c9ed83eca1953ac6552fb036e3f3a741bc251352662048808e60b5
-
SHA512
68c97e86b47078e95b95c28a0a37279227d24bf1a3c0ae4a71d3a461621e4e2e6d8188e0b69df78da79e2e7f55a589b000d53f0c9b1f2d7cee28fab656aeba79
-
SSDEEP
1572864:32shceP6ltMRjvP7MLrU6NZNsp7UJoIm7:32shPuu5vzMLrU6LNspoWP7
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
Rust_22_02_2023_gnp.exe
-
Size
430KB
-
MD5
3d560af86d945afc16c077829c552d96
-
SHA1
c2c4bcde91ce300e74c9412324950cb933855d5c
-
SHA256
60c185a806fafb422876ecb935529aa2b863499c8ed3388ffa3a6ce6e69582f5
-
SHA512
40dda545cd100fd634ba683e1f0c78afa68234ac78f5bcc3b41aa5af400cf4db4cc7dbd2ebc2b80988c1c5f9b688a2feb89145c0d585372ac91dab4b41ce69f0
-
SSDEEP
6144:kTouKrWBEu3/Z2lpGDHU3ykJkcerm6bJjL7jg3vcwEg3+GGwRZKnPYR1iitepPHc:kToPWBv/cpGrU3yBiVaJj7TZg
Score3/10 -
-
-
Target
SoftCPU.exe
-
Size
437KB
-
MD5
f6e9e004f65915e848f0b0ad6d1a749a
-
SHA1
cd27ada445ed7fbade354497815369e37ca11e97
-
SHA256
8eadaca35b7ddb7e44fa2f14b2a4f3e052e7b6d541d60b67340af3faf90dfc4c
-
SHA512
acb0afd5782125f3ac8ca173ede3252cbda31d788274a20e4fe5c35e26c21dc657493fdbed366f10a0838cfc06396bd0098edd4e89c22e9ed0553d5c94a322d8
-
SSDEEP
12288:xyveQB/fTHIGaPkKEYzURNAwbAgB2X+t4j1:xuDXTIGaPhEYzUzA0/0j1
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
chrome.exe
-
Size
4.3MB
-
MD5
94c60e6704b5dd11a139f2ffebde9135
-
SHA1
cd89f1cf9428a3eab554a3eb9ff6ca869e5bc368
-
SHA256
106bf123359d03963b1df1011fb8560aaf1c5e811de775dce1d8a53758a69102
-
SHA512
586bf326eae890379fcc7ad60e0a70384d069898aea46da32baf6bd60854df97b461019beaf17744ba3dfc0e70eb75970b977c30f035d296ae89763605d4ff6d
-
SSDEEP
49152:cGNq7FBhpRWa3viMRIcDdxw6dXF3W1QrL1UDq3P8mlp4DOXUxm:cGejpRWafEkRW6OHmrZXt
Score8/10-
Drops file in Drivers directory
-
Sets service image path in registry
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
client.exe
-
Size
103KB
-
MD5
b53bbcfca226226405217bba4f8b2532
-
SHA1
6a84eb91adb4ec5b3b18929fb5e0bfd39cc41fb2
-
SHA256
be09ac01404b9a32552b8bea765128a3e197a4bf77e909892d00aa2d157d6871
-
SHA512
f8b51680dbca520ed6877ca5cc1a003258a03bdd802c69985d658375562608c004084463363c9a2ed92b7552c36ba729b1863a1693990186e0f188ff3cc1ec86
-
SSDEEP
1536:KOhk60PnYkfH77Xcsg23bH/0cRDrKOyaxPoWvVVZ5ElaSePrpf3n3:HuJ/hRvg2TzEla3PVH
Score10/10-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Suspicious use of SetThreadContext
-
-
-
Target
goodboy.exe
-
Size
860KB
-
MD5
11ad0f71caabbadba8ca08663690ca39
-
SHA1
2dde6d4b02f8121c7e79af49ff524b96e62fc708
-
SHA256
861f2c5f07c9e1c7d24c2e34eb47ff3129cd39a2227a2549809b9d5c92267883
-
SHA512
ea4e66ea0df09c2f4ae90731ccf06343b7ba3066915f234858fdaee39cb39dc681ebcc9b82ccc38ab146330b1fad2cced798d0bf694ec9d31d963abf789c7a9c
-
SSDEEP
24576:I2yEGU/CgPh3wl0oKEJKpSL3MG6/2ZbNy0:IFG/Cy5poKVpSTn
Score10/10-
Detects Rhadamanthys payload
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
install.exe
-
Size
439KB
-
MD5
e1d10be0d41ba9e8dbad2a53876b3a00
-
SHA1
e7a2d4f602bfd178eb4ec6ac9bd406cb5eae50ed
-
SHA256
5bc044ef951c5095e4b7c094df6e54b19dfaafcd148583bb694625b7a0900f1c
-
SHA512
1e7a4065ccf983853b6d212f1d9c9cf43374ee30fd89d4a8d67042b5b560127a7986d60533e949ae77efc48169f96d8ce4cd6f6b0f2f43edebabea238f17fdcb
-
SSDEEP
12288:1O7k28xC7HMDVBjfbL5S6IZ7OGQN/RutyU3ivG/Jt9:+OS6IZ7QN/R8yoaG/L
Score10/10-
Detects Rhadamanthys payload
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2