Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

02/09/2023, 14:51

230902-r8cxhaea23 10

02/09/2023, 14:49

230902-r65vhadf3s 10

General

  • Target

    Grammarly Promotional Launcher.exe

  • Size

    20.4MB

  • Sample

    230902-r8cxhaea23

  • MD5

    9ed667ef1d116c0cb1051b8001b6ea0f

  • SHA1

    cbe4fdb8847ff9b5d0aa1e0a43bb3abd28f4a875

  • SHA256

    deba2be10d757679996d33d70d37b968088ba37e1d0f86d71beb8be38c34262f

  • SHA512

    4fc726f8f2ca7f024f5db1a660a3c9dff109014cc2f56097470b317950d05956c084f2e19fb9da3d14d589444c2bb0a7a370bce8b5dc049b5d3e774994bdd4e1

  • SSDEEP

    393216:onRZwqeWLCKhc+0Uz+JD8rY5Pobe7n/k8MoeTtqLiVc4GYbJQp:CN1hxX+QrY5PAe7/kHtsii4bbJG

Malware Config

Extracted

Family

stealc

Botnet

9323114451583182971321730716

C2

http://89.23.108.122

Attributes
  • url_path

    /e510c4e87f874d68.php

rc4.plain

Targets

    • Target

      Grammarly Promotional Launcher.exe

    • Size

      20.4MB

    • MD5

      9ed667ef1d116c0cb1051b8001b6ea0f

    • SHA1

      cbe4fdb8847ff9b5d0aa1e0a43bb3abd28f4a875

    • SHA256

      deba2be10d757679996d33d70d37b968088ba37e1d0f86d71beb8be38c34262f

    • SHA512

      4fc726f8f2ca7f024f5db1a660a3c9dff109014cc2f56097470b317950d05956c084f2e19fb9da3d14d589444c2bb0a7a370bce8b5dc049b5d3e774994bdd4e1

    • SSDEEP

      393216:onRZwqeWLCKhc+0Uz+JD8rY5Pobe7n/k8MoeTtqLiVc4GYbJQp:CN1hxX+QrY5PAe7/kHtsii4bbJG

    • Stealc

      Stealc is an infostealer written in C++.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks