Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

Swift_Mess...25.exe

windows7-x64

10

Swift_Mess...25.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Swift_Message_Notification_MTC-U27635728_03-2025.cab

  • Size

    1.5MB

  • Sample

    250318-r11zcsylw5

  • MD5

    804ef9c3f42442552248dfca13f7785d

  • SHA1

    f1c54859469d930f05a9a418cf5ec2270b8bc38d

  • SHA256

    9bf84c84913c184dd681aba7e537b4f07aa016787249059a7de076d594776b87

  • SHA512

    7d77fb40db014905d2fc2aa4923646ec37af5c860c3dc85045556341c44a43c9fbb1155295d75da45df6168b4532570db305a49eac650d544998e8da6d1f79b7

  • SSDEEP

    24576:QEzfRbORILKniPZxj3F8axaf/GtTkIZON9/nuEMCxIvOFBuLfvoN7fOFWpEz:17XbPZKkg2Q/nuElwOFBuLfAN7fORz

Score
10/10
asyncratredlinevenomratxwormdefaultsuccessdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

success

C2

204.10.161.147:7082

Extracted

Family

xworm

Version

5.0

C2

204.10.161.147:7081

Mutex

XoFHv1TT4hWErxRo

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

204.10.161.147:4955

Mutex

kngiyjiutrymnhbuzit

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Swift_Message_Notification_MTC-U27635728_03-2025.exe

    • Size

      1.9MB

    • MD5

      d18a7c52ddb2548776af2ffecd92862f

    • SHA1

      eeac7cf04fa8da67dde3046fe4aa5edc4d6e49da

    • SHA256

      4d693b4dd287f3aba462951d56f00aac4432794d3b489dfa93ffd17dbf40edc3

    • SHA512

      db1155d3c373f8c4b93712b218e2500d7da835a557220261f605c90926e2674668415cbe2ff89621b94771a7a9adc71bdbb86d44aba34a7576e734e0c982b2a1

    • SSDEEP

      49152:TR0c++OCvkGs9FaktzIuPkpYeDmg27RnWGj:1B3vkJ9HIuPYzD527BWG

    Score
    10/10
    asyncratredlinevenomratxwormdefaultsuccessdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect Xworm Payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • VenomRAT

      Detects VenomRAT.

      rat

    • Venomrat family

      venomrat

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Async RAT payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks