Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    PICS09765432345678001.js

  • Size

    937B

  • Sample

    230420-f2e8hafg64

  • MD5

    1de1213f3b92347423fb223ca44d36f1

  • SHA1

    208df542788427737c54b61c99087878d0fcbef7

  • SHA256

    3248a4b2b6e1514e9a63b2f40f54df79f0eee9592f9c1146e485ebd3fb4998b9

  • SHA512

    9d2726b61c54473be66a985d354d01139853f4c9ffaa8801af945ff635d25b2a960f4430f6fad006b12156456008877083f279834abdaaecbd16d8b840df7c25

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    premium251.web-hosting.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    H?G7iEWK_W0R##

Targets

    • Target

      PICS09765432345678001.js

    • Size

      937B

    • MD5

      1de1213f3b92347423fb223ca44d36f1

    • SHA1

      208df542788427737c54b61c99087878d0fcbef7

    • SHA256

      3248a4b2b6e1514e9a63b2f40f54df79f0eee9592f9c1146e485ebd3fb4998b9

    • SHA512

      9d2726b61c54473be66a985d354d01139853f4c9ffaa8801af945ff635d25b2a960f4430f6fad006b12156456008877083f279834abdaaecbd16d8b840df7c25

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks