Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
053022 BL#6329296080 IMPORTER#3400037 (NEED L.exe
-
Size
747KB
-
Sample
220601-1kbh7sbgf2
-
MD5
7a2babef327a833fb307c31517740e5d
-
SHA1
9c87a1a547b9e5eddbf146d57d0589095d87b523
-
SHA256
8d02836e227159df328ccb237413c709acf5683a526ffaedcdd09fd409a76cdb
-
SHA512
683eba89141d595e6fb9d1ff2345827c59d545b8332fad71bef7f0481d8e257305f2c6ecc87b18e39c16548aae63ddef9560eceff71d45f1e4cb5355837955fa
Static task
static1
Behavioral task
behavioral1
Sample
053022 BL#6329296080 IMPORTER#3400037 (NEED L.exe
Resource
win7-20220414-en
Malware Config
Extracted
oski
internetstores.co.vu
Targets
-
-
Target
053022 BL#6329296080 IMPORTER#3400037 (NEED L.exe
-
Size
747KB
-
MD5
7a2babef327a833fb307c31517740e5d
-
SHA1
9c87a1a547b9e5eddbf146d57d0589095d87b523
-
SHA256
8d02836e227159df328ccb237413c709acf5683a526ffaedcdd09fd409a76cdb
-
SHA512
683eba89141d595e6fb9d1ff2345827c59d545b8332fad71bef7f0481d8e257305f2c6ecc87b18e39c16548aae63ddef9560eceff71d45f1e4cb5355837955fa
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-