Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
test.exe
-
Size
14.3MB
-
Sample
250319-dvmynavpz8
-
MD5
8a44ee98217bc81f0869d793eefab1f0
-
SHA1
4756ed10cbf5dbad09746a8fa2c2e62c2f2b7200
-
SHA256
c26e2475ef60ba969bb66c9b464b498efb1da0bf7360ff7545c1db3b707bdbed
-
SHA512
4f18f54d791929cb24c02e8865d520e6263c096bef7ebd422578bca0600cadb6ea4b046654ef007ba056bf568ff3a19b068bf4313b4a218953a5bd2ecb0e6a02
-
SSDEEP
393216:vOWd863huc1dQJlAwF3MnG3InVFedWm7NS/xHWgnHz:2893hr1dQ53MG4VAHsT
Behavioral task
behavioral1
Sample
test.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
test.exe
Resource
win10v2004-20250314-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.chinaplasticsac.com - Port:
587 - Username:
[email protected] - Password:
8ZBcRV7dC~bT
Extracted
Protocol: ftp- Host:
176.65.144.3 - Port:
21 - Username:
admin - Password:
Admin56@@
Extracted
Protocol: ftp- Host:
176.65.144.3 - Port:
21 - Username:
Believe - Password:
Believe56@@
Extracted
xworm
5.0
116.250.190.209:4567
92.255.85.2:4372
92.255.57.221:4414
92.255.85.66:7000
127.0.0.1:7000
178.173.236.10:7000
J3k8MjpWYHnLberu
-
install_file
USB.exe
Extracted
lumma
https://phygcsforum.life/api
https://0explorebieology.run/api
https://gadgethgfub.icu/api
https://84moderzysics.top/api
https://techmindzs.live/api
https://ucodxefusion.top/api
https://techspherxe.top/api
https://-earthsymphzony.today/api
https://.cocjkoonpillow.today/api
https://zfeatureccus.shop/api
https://mrodularmall.top/api
https://jowinjoinery.icu/api
https://legenassedk.top/api
https://yhtardwarehu.icu/api
https://cjlaspcorne.icu/api
https://bugildbett.top/api
https://latchclan.shop/api
Extracted
agenttesla
Protocol: ftp- Host:
ftp://176.65.144.3 - Port:
21 - Username:
admin - Password:
Admin56@@
Extracted
vidar
13.2
f083f1f6fa006fbbc744aa9888fb3e8a
https://t.me/g_etcontent
https://steamcommunity.com/profiles/76561199832267488
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0
Extracted
quasar
176.65.144.14:4567;
tiktok
https://pastebin.com/raw/5KMaxFkV
6b91ceb8-fdf6-44ae-8d03-cf7d52a55ba9
-
encryption_key
6DB4822E80CF23FD4665B760183906FE57378512
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Chrome Updated
-
subdirectory
SubDir
Extracted
xworm
3.1
needforrat.hopto.org:7000
-
Install_directory
%AppData%
-
install_file
USB.exe
Extracted
quasar
1.3.0.0
sigorta
213.238.177.46:1604
QSR_MUTEX_dxT1m3RtSBLlUoRqXL
-
encryption_key
AZfjKXCnqT1oHdxEyyKo
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
lokibot
http://bauxx.xyz/mtk1/w2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
darkcomet
AUTRE
voltazur.ddns.net:1604
DC_MUTEX-0F1C40C
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
djHf5i8YgrmK
-
install
true
-
offline_keylogger
false
-
persistence
true
-
reg_key
MicroUpdate
Extracted
lumma
https://moderzysics.top/api
Targets
-
-
Target
test.exe
-
Size
14.3MB
-
MD5
8a44ee98217bc81f0869d793eefab1f0
-
SHA1
4756ed10cbf5dbad09746a8fa2c2e62c2f2b7200
-
SHA256
c26e2475ef60ba969bb66c9b464b498efb1da0bf7360ff7545c1db3b707bdbed
-
SHA512
4f18f54d791929cb24c02e8865d520e6263c096bef7ebd422578bca0600cadb6ea4b046654ef007ba056bf568ff3a19b068bf4313b4a218953a5bd2ecb0e6a02
-
SSDEEP
393216:vOWd863huc1dQJlAwF3MnG3InVFedWm7NS/xHWgnHz:2893hr1dQ53MG4VAHsT
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
AmmyyAdmin payload
-
Ammyyadmin family
-
Darkcomet family
-
Detect Vidar Stealer
-
Detect Xworm Payload
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Flawedammyy family
-
Lokibot family
-
Lumma family
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence
-
Modiloader family
-
Quasar family
-
Quasar payload
-
Vidar family
-
Xred family
-
Xworm family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
ModiLoader Second Stage
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1Hide Artifacts
2Hidden Files and Directories
2Modify Authentication Process
1Modify Registry
4Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
3Credentials In Files
3