Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    StubBuilder.rar

  • Size

    9.8MB

  • Sample

    230820-wgbmksad5s

  • MD5

    ecaf886156ca26b4c09503d65b3adb08

  • SHA1

    8fcdaba4c79e3d74ea9774062fd2f3815bc827bd

  • SHA256

    caba108ecd1e8601819b9863c8f790b8f93f00d607e0d5a2089bb8148905128f

  • SHA512

    22929d4f0ddf992cf2c7471f80e0c4dc71f6175898318d494538c27713a8a11fec680186574f6c1cffba01042a096aac659f140375565825fdcf15b23f49a962

  • SSDEEP

    196608:Ta/QbujucsqRVaPGo9onqOM5dJ7giry3Z6KbDzGrdIMZILmhN0U58:N8ucsqRe2qOG7Zrba6zZUSny

Malware Config

Targets

    • Target

      StubBuilder/Guna.UI2.dll

    • Size

      2.2MB

    • MD5

      934c47fe3a9a700c9bd7256918ea2a55

    • SHA1

      5b4ab5482adbe76e4ad27c4a3d6f1e24e2d1082e

    • SHA256

      93875f9056684dad7f345ad63a9d9fbad8fe3c83ae9bd82f618a1e1cb5f1e8a6

    • SHA512

      9186860bcba7dabc22812c42c4ac941930a561cba3e2dd54b6234dd068786f690302241e42a747d2cf102b1fcd325126c3b6f9174cb21702c6951847ac318ec1

    • SSDEEP

      24576:7YiAs/rXPAYkqjW7CedtntpzuVHt7hyFpASvvD9oA3cPPEMvDbEU+rHQ/jza:7Yk/rtujLYVN701mA3v

    Score
    1/10
    • Target

      StubBuilder/StubBuilder.exe

    • Size

      44KB

    • MD5

      b3dd3992c85fd1cfc877a236b97d3a3a

    • SHA1

      e3f52a75340f82c4e8f9ac47cb2209ae8f76a84a

    • SHA256

      fde4fdd98d9e67bd412738f5b41e79d15c3e1f4bc861662c669e6f30569a2962

    • SHA512

      e172e9cb3480e5b9fff939b69f7c26953ee6e39dc77c552f3a9638b9d462dc98a1a0872c3c888d52bb09d24c247b4285bacde7b331d0cf6805e8253e64b9361e

    • SSDEEP

      768:s+s3XohtlvF5dF7VM9qBhAmmC1+yr66fIVbcjw:zsHohv7VMUBQByWCw

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      StubBuilder/StubBuilderHelper.exe

    • Size

      9.2MB

    • MD5

      1a1e9ea16aeec7ece068d0324d40da00

    • SHA1

      9e33dae3fdc90ad356de23000566a97284c43b72

    • SHA256

      42d82da1f1cce098fa96a1b97c83e0044530b10d76b1543587bee724ec62923c

    • SHA512

      d71932b4d669f056f1b7eae4140115871ec11515f056e4b48eecafa7c41f8df756cd3e056f963ddb15e6d0fe189915135291630e3d734d90a942a900e594fd84

    • SSDEEP

      196608:/cdzUjpRRofdQmR5dA6lsuErSEEJwzeiOF6OVsmYPuksBq:8oVRRqdQ2ls+9JqelOmz

    Score
    7/10
    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks