Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

data64_1.exe

windows7-x64

10

data64_1.exe

windows10-2004-x64

10

Resubmissions

22/09/2022, 17:11 UTC

220922-vqawzacac6 10

20/09/2022, 13:07 UTC

220920-qct1gachf4 10

Analysis

  • max time kernel
    142s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    22/09/2022, 17:11 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    data64_1.exe

  • Size

    159KB

  • MD5

    95749d6bae439efc267962c9bc3cb2d6

  • SHA1

    236763d6a739c9a68350c5e9775ea8723de2a916

  • SHA256

    f464ed5d98af0625c6c4678b916aa465f47a938e1cf4ad3bf5a95d129f8fb5f9

  • SHA512

    3ee8697c54d69b837f0f81979edde35049904d677a849cfcd943d45d2615581cc18e78318e8d5d35e75273d732d6e06545edca7a4000222c766b4d8789a95fc6

  • SSDEEP

    3072:Um/E8k9ZjpIL+zNch12KbAwSaSbJSp8Bb8EG:N/E8k91zz6/t88EG

Score
10/10
marsstealerdefaultspywarestealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

C2

gg.gemkan.online/gate.php

Signatures

  • Mars Stealer

    An infostealer written in C++ based on other infostealers.

    stealermarsstealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\data64_1.exe
    "C:\Users\Admin\AppData\Local\Temp\data64_1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1376
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 784
      2⤵
      • Program crash
      PID:524

Network

  • flag-us
    DNS
    gg.gemkan.online
    data64_1.exe
    Remote address:
    8.8.8.8:53
    Request
    gg.gemkan.online
    IN A
    Response
    gg.gemkan.online
    IN A
    203.175.9.27
  • flag-id
    GET
    http://gg.gemkan.online/gate.php
    data64_1.exe
    Remote address:
    203.175.9.27:80
    Request
    GET /gate.php HTTP/1.1
    Host: gg.gemkan.online
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Found
    Date: Thu, 22 Sep 2022 17:11:41 GMT
    Server: Apache
    Location: http://gg.gemkan.online/cgi-sys/suspendedpage.cgi
    Content-Length: 233
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=iso-8859-1
  • flag-id
    GET
    http://gg.gemkan.online/cgi-sys/suspendedpage.cgi
    data64_1.exe
    Remote address:
    203.175.9.27:80
    Request
    GET /cgi-sys/suspendedpage.cgi HTTP/1.1
    Host: gg.gemkan.online
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Thu, 22 Sep 2022 17:11:41 GMT
    Server: Apache
    Vary: Accept-Encoding
    Keep-Alive: timeout=5, max=99
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: text/html
  • flag-id
    GET
    http://gg.gemkan.online/request
    data64_1.exe
    Remote address:
    203.175.9.27:80
    Request
    GET /request HTTP/1.1
    Host: gg.gemkan.online
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Found
    Date: Thu, 22 Sep 2022 17:11:41 GMT
    Server: Apache
    Location: http://gg.gemkan.online/cgi-sys/suspendedpage.cgi
    Content-Length: 233
    Content-Type: text/html; charset=iso-8859-1
  • flag-id
    GET
    http://gg.gemkan.online/cgi-sys/suspendedpage.cgi
    data64_1.exe
    Remote address:
    203.175.9.27:80
    Request
    GET /cgi-sys/suspendedpage.cgi HTTP/1.1
    Host: gg.gemkan.online
    Cache-Control: no-cache
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Thu, 22 Sep 2022 17:11:42 GMT
    Server: Apache
    Vary: Accept-Encoding
    Keep-Alive: timeout=5, max=97
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: text/html
  • 203.175.9.27:80
    http://gg.gemkan.online/cgi-sys/suspendedpage.cgi
    http
    data64_1.exe
    853 B
     2.2kB
     10
    15

    HTTP Request

    GET http://gg.gemkan.online/gate.php

    HTTP Response

    302

    HTTP Request

    GET http://gg.gemkan.online/cgi-sys/suspendedpage.cgi

    HTTP Response

    200

    HTTP Request

    GET http://gg.gemkan.online/request

    HTTP Response

    302

    HTTP Request

    GET http://gg.gemkan.online/cgi-sys/suspendedpage.cgi

    HTTP Response

    200
  • 8.8.8.8:53
    gg.gemkan.online
    dns
    data64_1.exe
    62 B
     78 B
     1
    1

    DNS Request

    gg.gemkan.online

    DNS Response

    203.175.9.27

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1376-54-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/1376-55-0x0000000075091000-0x0000000075093000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1376-57-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.