3248a4b2b6e1514e9a63b2f40f54df79f0eee9592f9c1146e485ebd3fb4998b9 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

PICS097654...001.js

windows7-x64

8

PICS097654...001.js

windows10-2004-x64

Sharing

General

Target

PICS09765432345678001.js
Size

937B
Sample

230420-f2e8hafg64
MD5

1de1213f3b92347423fb223ca44d36f1
SHA1

208df542788427737c54b61c99087878d0fcbef7
SHA256

3248a4b2b6e1514e9a63b2f40f54df79f0eee9592f9c1146e485ebd3fb4998b9
SHA512

9d2726b61c54473be66a985d354d01139853f4c9ffaa8801af945ff635d25b2a960f4430f6fad006b12156456008877083f279834abdaaecbd16d8b840df7c25

Score

10^/10

collection spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

PICS09765432345678001.js

Resource

win7-20230220-en

collection spyware stealer

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

PICS09765432345678001.js

Resource

win10v2004-20230220-en

collection spyware stealer

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
premium251.web-hosting.com
Port:
587
Username:
[email protected]
Password:
H?G7iEWK_W0R##

Targets

- Target
  
  PICS09765432345678001.js
- Size
  
  937B
- MD5
  
  1de1213f3b92347423fb223ca44d36f1
- SHA1
  
  208df542788427737c54b61c99087878d0fcbef7
- SHA256
  
  3248a4b2b6e1514e9a63b2f40f54df79f0eee9592f9c1146e485ebd3fb4998b9
- SHA512
  
  9d2726b61c54473be66a985d354d01139853f4c9ffaa8801af945ff635d25b2a960f4430f6fad006b12156456008877083f279834abdaaecbd16d8b840df7c25
Score

10^/10

collection spyware stealer
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

collectionspywarestealer

behavioral2

collectionspywarestealer

© 2018-2025

Terms | Privacy