Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    SOA.exe

  • Size

    713KB

  • Sample

    230202-kcf6qafe95

  • MD5

    3b7b59917536997d4929921cca58850c

  • SHA1

    420adc000e70e420f0f6f7d862c23d51623edda1

  • SHA256

    bc6376ada7da41e46d4fd7b69303d9f08a89217e1e6ae4077afbf1fc65689118

  • SHA512

    7a6862fd909b112e6461a6f7a1ff54d5426ae65af35b7567d662aac97cb1a3558506a92f130a3d61b785c277c23565e9105a4403c1bc67e63204e5af1a910d81

  • SSDEEP

    12288:xAPKAvNFVW9iIA3inEXfjr6ghBCTiBqhnvoUmZSQHUWeh3ih9HOAjEzjF:aSAvNXWgIznMbr4O+nFmwkUBYTvIzjF

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.gupbd.org
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Gup@1973#2022

Targets

    • Target

      SOA.exe

    • Size

      713KB

    • MD5

      3b7b59917536997d4929921cca58850c

    • SHA1

      420adc000e70e420f0f6f7d862c23d51623edda1

    • SHA256

      bc6376ada7da41e46d4fd7b69303d9f08a89217e1e6ae4077afbf1fc65689118

    • SHA512

      7a6862fd909b112e6461a6f7a1ff54d5426ae65af35b7567d662aac97cb1a3558506a92f130a3d61b785c277c23565e9105a4403c1bc67e63204e5af1a910d81

    • SSDEEP

      12288:xAPKAvNFVW9iIA3inEXfjr6ghBCTiBqhnvoUmZSQHUWeh3ih9HOAjEzjF:aSAvNXWgIznMbr4O+nFmwkUBYTvIzjF

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks