Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    fgh.exe

  • Size

    695KB

  • Sample

    221007-tnn55sdafm

  • MD5

    c980c7e6f4087c91113528f72c824192

  • SHA1

    4e2bba5c5ced0a245e372fed825c829ba47ba5f2

  • SHA256

    feb81e1b4ff1bd5cc83dc87f6a67629b5c64bc4f8460c6b5084022512c5c426d

  • SHA512

    32b034aa526717e99f736a80091f1378a6fc6fdee1ef066288484ebc0779e9b11c0038db82e61123e89d3ef68a381edbadd1c56b11d4294521992181cb6063f3

  • SSDEEP

    12288:RNmuYu9aooBha0zajauQwTVnTAI8KzjGFg7XvZA7CFTGSEZTjU4Ptl4hDEJ2UZ0e:RNmLuAoon6mwhnz1jGFgzvZAmLEZ84VH

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\19D9201D49\Log.txt

Family

masslogger

Ransom Note
<|| v2.4.0.0 ||> User Name: Admin IP: 154.61.71.50 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 10/7/2022 6:12:45 PM MassLogger Started: 10/7/2022 6:12:38 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\jhhbqiui.exe MassLogger Melt: false MassLogger Exit after delivery: true As Administrator: True Processes: <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Window Searcher ||> Disabled <|| Bot Killer ||> Disabled <|| Downloader ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> Disabled

Targets

    • Target

      fgh.exe

    • Size

      695KB

    • MD5

      c980c7e6f4087c91113528f72c824192

    • SHA1

      4e2bba5c5ced0a245e372fed825c829ba47ba5f2

    • SHA256

      feb81e1b4ff1bd5cc83dc87f6a67629b5c64bc4f8460c6b5084022512c5c426d

    • SHA512

      32b034aa526717e99f736a80091f1378a6fc6fdee1ef066288484ebc0779e9b11c0038db82e61123e89d3ef68a381edbadd1c56b11d4294521992181cb6063f3

    • SSDEEP

      12288:RNmuYu9aooBha0zajauQwTVnTAI8KzjGFg7XvZA7CFTGSEZTjU4Ptl4hDEJ2UZ0e:RNmLuAoon6mwhnz1jGFgzvZAmLEZ84VH

    • MassLogger

      Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    • MassLogger log file

      Detects a log file produced by MassLogger.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks