Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    9ab1d6220c68a3b965b80ebb3c81c9c0886d7f0180c6ed7dbf888502ce30d465

  • Size

    372KB

  • Sample

    221129-t912tsfg83

  • MD5

    1a602393b841f50047c5a8a8608c4100

  • SHA1

    778a9bebf7dca5a40043dc7fc5dfd104ddfbbfe5

  • SHA256

    9ab1d6220c68a3b965b80ebb3c81c9c0886d7f0180c6ed7dbf888502ce30d465

  • SHA512

    53a6ce21137e54d9a93d8e9577ae695eba337a7c0d4d8b5acf3561273041895ed325232b3f77c0433166495311792cd4e85f149c88bb064f181a551fa10d5934

  • SSDEEP

    6144:yOLJqj40m5tXf2y7dYyzxit1egV2M20TRFDK8ALxQgCRz7ySeECe:yGqs5wYdY6i4gP2w+kVT

Malware Config

Targets

    • Target

      9ab1d6220c68a3b965b80ebb3c81c9c0886d7f0180c6ed7dbf888502ce30d465

    • Size

      372KB

    • MD5

      1a602393b841f50047c5a8a8608c4100

    • SHA1

      778a9bebf7dca5a40043dc7fc5dfd104ddfbbfe5

    • SHA256

      9ab1d6220c68a3b965b80ebb3c81c9c0886d7f0180c6ed7dbf888502ce30d465

    • SHA512

      53a6ce21137e54d9a93d8e9577ae695eba337a7c0d4d8b5acf3561273041895ed325232b3f77c0433166495311792cd4e85f149c88bb064f181a551fa10d5934

    • SSDEEP

      6144:yOLJqj40m5tXf2y7dYyzxit1egV2M20TRFDK8ALxQgCRz7ySeECe:yGqs5wYdY6i4gP2w+kVT

    • ISR Stealer

      ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    • ISR Stealer payload

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks