Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
random.exe
-
Size
5.6MB
-
Sample
250315-njwrjawlt6
-
MD5
f0cad0627e4b852e7ce633df29855373
-
SHA1
3187e3016d889fdcb5f3c38cc19c1dac27163fe4
-
SHA256
e7b933849e850c1778c1378c7a5d07df318d86f7b3ee6257885b768fa81f685c
-
SHA512
c121d9a4d2ced148ac422e193096e7596c8270c662065b9f16efe4ec4ccc1552b44ad92511246fdde7fed55fbb53c178a5da28a84533707a907084c25ad9c615
-
SSDEEP
98304:6zd9u3jgDjebrGE5pd8PY22ImKYMFCqgupRERune9rmqy3kG/TQ8swX+hh/YG6GR:0dMgebrREbJPYIpKcneY13LTQf6+hVYM
Static task
static1
Behavioral task
behavioral1
Sample
random.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
random.exe
Resource
win10ltsc2021-20250314-en
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
lumma
https://citydisco.bet/api
https://crosshairc.life/api
https://mrodularmall.top/api
https://jowinjoinery.icu/api
https://legenassedk.top/api
https://4htardwarehu.icu/api
https://cjlaspcorne.icu/api
https://bugildbett.top/api
https://weaponrywo.digital/api
https://zfurrycomp.top/api
https://htardwarehu.icu/api
https://8cjlaspcorne.icu/api
https://adweaponrywo.digital/api
https://begindecafer.world/api
https://9garagedrootz.top/api
https://modelshiverd.icu/api
https://arisechairedd.shop/api
https://catterjur.run/api
https://orangemyther.live/api
https://fostinjec.today/api
https://ksterpickced.digital/api
https://biochextryhub.bet/api
https://q8explorebieology.run/api
https://gadgethgfub.icu/api
https://moderzysics.top/api
https://5ktechmindzs.live/api
https://6codxefusion.top/api
https://7phygcsforum.life/api
https://techspherxe.top/api
https://earthsymphzony.today/api
https://qcitydisco.bet/api
https://kbracketba.shop/api
https://featureccus.shop/api
https://latchclan.shop/api
Extracted
stealc
trump
http://45.93.20.28
-
url_path
/85a1cacf11314eb8.php
Extracted
lumma
https://moderzysics.top/api
Extracted
http://176.113.115.7/mine/random.exe
Extracted
asyncrat
| Controller
Default
20.206.204.9:4449
ammmjprqjnqswrieh
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
random.exe
-
Size
5.6MB
-
MD5
f0cad0627e4b852e7ce633df29855373
-
SHA1
3187e3016d889fdcb5f3c38cc19c1dac27163fe4
-
SHA256
e7b933849e850c1778c1378c7a5d07df318d86f7b3ee6257885b768fa81f685c
-
SHA512
c121d9a4d2ced148ac422e193096e7596c8270c662065b9f16efe4ec4ccc1552b44ad92511246fdde7fed55fbb53c178a5da28a84533707a907084c25ad9c615
-
SSDEEP
98304:6zd9u3jgDjebrGE5pd8PY22ImKYMFCqgupRERune9rmqy3kG/TQ8swX+hh/YG6GR:0dMgebrREbJPYIpKcneY13LTQf6+hVYM
-
Amadey family
-
Asyncrat family
-
Detects Healer an antivirus disabler dropper
-
Healer family
-
Lumma family
-
Stealc family
-
Xmrig family
-
Zloader family
-
Async RAT payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner payload
-
Blocklisted process makes network request
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Registers new Windows logon scripts automatically executed at logon.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3PowerShell
3Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Boot or Logon Initialization Scripts
1Logon Script (Windows)
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Boot or Logon Initialization Scripts
1Logon Script (Windows)
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Authentication Process
1Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
5Credentials In Files
5Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Query Registry
10Remote System Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2