Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Empyrean Logger Builder.zip
-
Size
589KB
-
Sample
250314-te14caxlx8
-
MD5
1321ce347e487f88cd1f796dd749b0f0
-
SHA1
a31f3c28d9210a75d181452cfca4e4524f3300e2
-
SHA256
8b65d7656d0881a2727ea57981a5b851a6f06a3dbad1f44accbcbf9e0d21ba1b
-
SHA512
77d3b66251b61153aa5b71da40d27873b927cb5cced4a5e3c606bcf5fbd019e8689cec7e19dbe0c2e84fd2b9f7b0db2d41ebf227a00dcf11eee1b040e9ed3ff8
-
SSDEEP
12288:qr/hwXhMLOJxU9hTlp1OzvCZe35qPPKRl52EyEg4iK:O/huhmlPneR52xl4f
Malware Config
Extracted
discordrat
-
discord_token
MTEwMTIwNjIwODE3NTY3MzUxNA.GxRTwM.GCvslMQeJGlG702rniWyui2HFdhthM9sE98y3E
-
server_id
1101173030589300938
Targets
-
-
Target
Builder.exe
-
Size
200KB
-
MD5
ac85ff97508f5d096a0b89251bcd5b33
-
SHA1
cf09f37eb3ab8ab28fced295b7068a5f97124f23
-
SHA256
0283982b9ca1259e8f2a9d1e650cf7baa7a7d4d939179d634aef8a4a271b2a9a
-
SHA512
b22e117ce51a1a21cc5dcfb2e1d408dc8cc538228c0d3fc5773e0808523f93cbbbdeba8be7217ccc281adca80a011151e90f1097a824cd61f6063bcd71aa2c5f
-
SSDEEP
6144:xV28ou9f4wIPuBDnxPMhU3YnOQO9xPOYC12oS:xo3wvhMrO9xm9AoS
Score10/10-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
UAC bypass
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Deobfuscate/Decode Files or Information
Payload decoded via CertUtil.
-
Enumerates processes with tasklist
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
install_python.bat
-
Size
686B
-
MD5
f30718a354e7cc104ea553ce5ae2d486
-
SHA1
3876134e6b92da57a49d868013ed35b5d946f8fd
-
SHA256
94008c8135d149fecd29ca62aded487f0fbfa6af893596ffc3e4b621a0fe4966
-
SHA512
601b2256ea709a885741f1dec5c97dda6fb7fd4e485b4afac3503af1aefe73472e5bc5529c144814a3defbc0b51ac4b50e02a50dccc69b41ee5d87a3f4282874
Score8/10-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Powershell Invoke Web Request.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
src/components/antidebug.py
-
Size
11KB
-
MD5
26435fe69fcfe6322679c9df730cd0b0
-
SHA1
95a305df9fae655cc4b34eb0d5cad8848a4c9100
-
SHA256
101b5276bcaae253319cfc1f0f6b6a1688d9286c7852f8e12d00c698b2ae117c
-
SHA512
26e7750c235cfc734d86502f85f1620c4698bde6e377a2264bddd3017bb8891110e49ead665b59330666d2dd4686c8e657fb080554905dbb9976c8846781c963
-
SSDEEP
192:0PRZOKV83Gsn8ZBwh9JYmypzrKU8zrPsR0TtsBWaOJjd5vpV5M7/V/c:0ZTd+nJYJzrn+rgeeWaOJjd5vpVC6
Score3/10 -
-
-
Target
src/components/browsers.py
-
Size
16KB
-
MD5
1fa5ec2594e7dc5ba902baa17c26c396
-
SHA1
9cc476e8f5068edde04fb74b8d553b9920bb7e22
-
SHA256
fcc7ce278bc39a6f36772e45ca5a9c52bc1457bbcb451587c8812fe090fe0e37
-
SHA512
57ff299400b36ad38fb04728c6416c3b45decc88f6258a5df66bf6bd388575c7ccee5837e0903f44bfb90ff319a9bf6cee046ea316a8f50f365e9418e888b922
-
SSDEEP
384:ljE+Bs45wvwmzwCN903g6YeNlO3+B73Rk:BE+SYrCN903g6PNlO3+B7K
Score3/10 -
-
-
Target
src/components/discordtoken.py
-
Size
17KB
-
MD5
c3d9cbff92171f3004bb29fc5c8e0d49
-
SHA1
972e9a36b103a7c41a26d7f1817ffeeff8dbfb3c
-
SHA256
18df4cedcec576281fa110f1597b8c300a6d8915fb34a05616b92ce00a1108ce
-
SHA512
3ba2c6a271cec1b7988f39aa43358bb2fdcf7581dfbbca55adc568595995a1388b53a73279833fac747775304d6d58a98b02830082d164ead89cb1a23e3e7de2
-
SSDEEP
384:ig9WPIDbhMUN7Qr4cq4cn6vPuk6ii34zSJPuE8q7rqLFBISJ:4Iz7C4F4o6XuVii34zSr8cr8vpJ
Score3/10 -
-
-
Target
src/components/injection.py
-
Size
2KB
-
MD5
1bfaa460966bb67499e24c44e2ae4f3f
-
SHA1
d79d21cd4518324d0c59fa6e183bc91df1c08433
-
SHA256
a9d1ad9132081e78a68e9bc71d315b74b4005f67e2667dc933db2be79e297e6c
-
SHA512
6e1fe9f8a5359abb7409f5b6177908968d5714dabb6e647b7a63c88ae02f06d7c16acb13895d896688ca4558ee64f2f80f2b02ec37879bd5b4b4bd7b5c66221f
Score3/10 -
-
-
Target
src/components/startup.py
-
Size
1KB
-
MD5
d17d405ca05de43451c90ed876382851
-
SHA1
5d79d59b7c7d84da78b16c3b11ccc329a85974c6
-
SHA256
e93db849ec64a2c100f7d07bb1267edb96177b4097573796213fe19623b85e57
-
SHA512
7e2f8325cae28528d84fe1967ded6375d8b581d99a93d5b2dbae8f7a7af03c60cadacd21bd0d29771ccb0dc438e5aac30321f251db44124ab841f267a0ff887b
Score3/10 -
-
-
Target
src/components/systeminfo.py
-
Size
6KB
-
MD5
2737cd3bd851c13c1c5c651e045e75d7
-
SHA1
828797243a9051d1461abebb90e162bd192f2c8a
-
SHA256
6689a267860ff5972229c33934af6356b4828b05ae214d2024f62bd113916a4a
-
SHA512
01d7b0e9c77585e08516c2443797f77c45db861a23f38fccad80036fe3f3ba270add2946317ef5405c608c2f8628910cf38c511cc8d7e94987730e3fe8f71e10
-
SSDEEP
96:o62a5Q8kjqXmBHyCOMLdpvlGa4sVV2iHxhwqf+zadcTP9eTnSIf:PQRy4Tka/T2UIzaaL9erj
Score3/10 -
-
-
Target
src/config.py
-
Size
197B
-
MD5
f9db0f9a37e5d0b737dd22c3a0473d6d
-
SHA1
21b489d27337761e2dd5d6c50f4114ad73777800
-
SHA256
dc3606aa2b6342da0fe23a0a5859cf2f2be3d4bc0ec49f0dd4c79201db68c541
-
SHA512
12b32a522d848c76b984182f9827d22aea2e7c282b0f03db7b5d78e121157de6b67ee0e6031a44067c59efa146f1d5515514f9e27232778a56720582b7ec7d1d
Score3/10 -
-
-
Target
src/main.py
-
Size
848B
-
MD5
c7e2a6f36eead941802e707eb246da84
-
SHA1
4406272e8c7a9b8cb5684373c43f3368b2cb44dd
-
SHA256
eff558ffa171814712d1605c72fe8eba833f1682ef7efc8285dcf5303f4c5f41
-
SHA512
a6191c28c66c9c33d7bf070b36b5cb6ace45e06593cf4368cfd60e10a28bc846100be7efa025e1e12f5b4c3e0217ae5ec185142d1a4ea5db7aa1a5d585afdbeb
Score3/10 -
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Deobfuscate/Decode Files or Information
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2