Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    test.exe

  • Size

    14.3MB

  • Sample

    250319-dvmynavpz8

  • MD5

    8a44ee98217bc81f0869d793eefab1f0

  • SHA1

    4756ed10cbf5dbad09746a8fa2c2e62c2f2b7200

  • SHA256

    c26e2475ef60ba969bb66c9b464b498efb1da0bf7360ff7545c1db3b707bdbed

  • SHA512

    4f18f54d791929cb24c02e8865d520e6263c096bef7ebd422578bca0600cadb6ea4b046654ef007ba056bf568ff3a19b068bf4313b4a218953a5bd2ecb0e6a02

  • SSDEEP

    393216:vOWd863huc1dQJlAwF3MnG3InVFedWm7NS/xHWgnHz:2893hr1dQ53MG4VAHsT

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.chinaplasticsac.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    8ZBcRV7dC~bT

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    176.65.144.3
  • Port:
    21
  • Username:
    admin
  • Password:
    Admin56@@

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    176.65.144.3
  • Port:
    21
  • Username:
    Believe
  • Password:
    Believe56@@

Extracted

Family

xworm

Version

5.0

C2

116.250.190.209:4567

92.255.85.2:4372

92.255.57.221:4414

92.255.85.66:7000

127.0.0.1:7000

178.173.236.10:7000

Mutex

J3k8MjpWYHnLberu

Attributes
  • install_file

    USB.exe

aes.plain
aes.plain
aes.plain
aes.plain
aes.plain
aes.plain

Extracted

Family

lumma

C2

https://phygcsforum.life/api

https://0explorebieology.run/api

https://gadgethgfub.icu/api

https://84moderzysics.top/api

https://techmindzs.live/api

https://ucodxefusion.top/api

https://techspherxe.top/api

https://-earthsymphzony.today/api

https://.cocjkoonpillow.today/api

https://zfeatureccus.shop/api

https://mrodularmall.top/api

https://jowinjoinery.icu/api

https://legenassedk.top/api

https://yhtardwarehu.icu/api

https://cjlaspcorne.icu/api

https://bugildbett.top/api

https://latchclan.shop/api

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://176.65.144.3
  • Port:
    21
  • Username:
    admin
  • Password:
    Admin56@@

Extracted

Family

vidar

Version

13.2

Botnet

f083f1f6fa006fbbc744aa9888fb3e8a

C2

https://t.me/g_etcontent

https://steamcommunity.com/profiles/76561199832267488

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0

Extracted

Family

quasar

Version

176.65.144.14:4567;

Botnet

tiktok

C2

https://pastebin.com/raw/5KMaxFkV

Mutex

6b91ceb8-fdf6-44ae-8d03-cf7d52a55ba9

Attributes
  • encryption_key

    6DB4822E80CF23FD4665B760183906FE57378512

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Chrome Updated

  • subdirectory

    SubDir

Extracted

Family

xworm

Version

3.1

C2

needforrat.hopto.org:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Extracted

Family

quasar

Version

1.3.0.0

Botnet

sigorta

C2

213.238.177.46:1604

Mutex

QSR_MUTEX_dxT1m3RtSBLlUoRqXL

Attributes
  • encryption_key

    AZfjKXCnqT1oHdxEyyKo

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

lokibot

C2

http://bauxx.xyz/mtk1/w2/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

darkcomet

Botnet

AUTRE

C2

voltazur.ddns.net:1604

Mutex

DC_MUTEX-0F1C40C

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    djHf5i8YgrmK

  • install

    true

  • offline_keylogger

    false

  • persistence

    true

  • reg_key

    MicroUpdate

rc4.plain

Extracted

Family

lumma

C2

https://moderzysics.top/api

Targets

    • Target

      test.exe

    • Size

      14.3MB

    • MD5

      8a44ee98217bc81f0869d793eefab1f0

    • SHA1

      4756ed10cbf5dbad09746a8fa2c2e62c2f2b7200

    • SHA256

      c26e2475ef60ba969bb66c9b464b498efb1da0bf7360ff7545c1db3b707bdbed

    • SHA512

      4f18f54d791929cb24c02e8865d520e6263c096bef7ebd422578bca0600cadb6ea4b046654ef007ba056bf568ff3a19b068bf4313b4a218953a5bd2ecb0e6a02

    • SSDEEP

      393216:vOWd863huc1dQJlAwF3MnG3InVFedWm7NS/xHWgnHz:2893hr1dQ53MG4VAHsT

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Ammyy Admin

      Remote admin tool with various capabilities.

    • AmmyyAdmin payload

    • Ammyyadmin family

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Detect Vidar Stealer

    • Detect Xworm Payload

    • FlawedAmmyy RAT

      Remote-access trojan based on leaked code for the Ammyy remote admin software.

    • Flawedammyy family

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Modifies WinLogon for persistence

    • Modiloader family

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar family

    • Quasar payload

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • ModiLoader Second Stage

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks