505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

505658da86...39.exe

windows7-x64

9

505658da86...39.exe

windows10-2004-x64

9

Sharing

General

Target

505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539
Size

1.2MB
Sample

221128-bpad9sdb92
MD5

8f15bfb3722b7b5c2af0a3af4aea2e59
SHA1

b7b1c094d883c219c7f872b9d18bd765bce8a5f5
SHA256

505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539
SHA512

47cf5362e7a48d0871f628b3a1913a8b081d2e366323e196860a1249c9b5408178a175e4acfac42a6e4f2d617b405501d6ff036acea558f75184fccecb0131f6
SSDEEP

12288:92vL7kVDlyOjZ87Bvr7wn8/GtFgd6/L5G8Qx9CPW0CjTTrm+pLFONMIRkxkfkkUN:UfSh94z+tCdSV3fW0CjT3m+pApl08M3

Score

9^/10

collection persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe

Resource

win7-20221111-en

collection persistence spyware stealer

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe

Resource

win10v2004-20221111-en

collection persistence spyware stealer

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Targets

- Target
  
  505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539
- Size
  
  1.2MB
- MD5
  
  8f15bfb3722b7b5c2af0a3af4aea2e59
- SHA1
  
  b7b1c094d883c219c7f872b9d18bd765bce8a5f5
- SHA256
  
  505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539
- SHA512
  
  47cf5362e7a48d0871f628b3a1913a8b081d2e366323e196860a1249c9b5408178a175e4acfac42a6e4f2d617b405501d6ff036acea558f75184fccecb0131f6
- SSDEEP
  
  12288:92vL7kVDlyOjZ87Bvr7wn8/GtFgd6/L5G8Qx9CPW0CjTTrm+pLFONMIRkxkfkkUN:UfSh94z+tCdSV3fW0CjT3m+pApl08M3
Score

9^/10

collection persistence spyware stealer
- NirSoft MailPassView
  Password recovery tool for various email clients
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

collectionpersistencespywarestealer

behavioral2

collectionpersistencespywarestealer

© 2018-2025

Terms | Privacy