Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

791cb146ce...ad.exe

windows7-x64

10

791cb146ce...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    03/01/2024, 14:45 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    791cb146ce71d27b52dd233a80f5ac4e63f69d49af07a53850954da93ff439ad.exe

  • Size

    13.4MB

  • MD5

    6e08d023664e3f4e835ec3ec198b883a

  • SHA1

    43f2f3321a51f1ca308af891d2e1dbaaee48b045

  • SHA256

    791cb146ce71d27b52dd233a80f5ac4e63f69d49af07a53850954da93ff439ad

  • SHA512

    41d44ed76ecda43eab891a2e07cb43481478c39797e44ed017654a8bca346b90bfcf4f444532d8e9765173c2e9b26d5f524fe42ec9a7830230fedbe21f9e0ec1

  • SSDEEP

    12288:bu5DqC9/n1D0jAV8eCeoIl1TroJMExsi+vakV7tbQ3KtwU:buDXVsUThTFyJm

Score
10/10
marsstealerdefaultspywarestealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

Signatures

  • Mars Stealer

    An infostealer written in C++ based on other infostealers.

    stealermarsstealer
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\791cb146ce71d27b52dd233a80f5ac4e63f69d49af07a53850954da93ff439ad.exe
    "C:\Users\Admin\AppData\Local\Temp\791cb146ce71d27b52dd233a80f5ac4e63f69d49af07a53850954da93ff439ad.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\41AKTQO.exe
      "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\41AKTQO.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 808
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2456

Network

  • flag-us
    DNS
    moscow-post.com
    41AKTQO.exe
    Remote address:
    8.8.8.8:53
    Request
    moscow-post.com
    IN A
    Response
    moscow-post.com
    IN A
    185.71.67.60
  • flag-ru
    GET
    http://moscow-post.com/xaoniu/server/waungowangued/g.php
    41AKTQO.exe
    Remote address:
    185.71.67.60:80
    Request
    GET /xaoniu/server/waungowangued/g.php HTTP/1.1
    Host: moscow-post.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Moved Temporarily
    Server: nginx
    Date: Wed, 03 Jan 2024 14:46:23 GMT
    Content-Length: 0
    Connection: keep-alive
    Location: http://moscow-post.com/xaoniu/server/waungowangued/g.php
    Set-Cookie: __hash_=c163791db7f1afa1676e7a182b0a6ccd; Max-Age=900; Path=/
  • flag-ru
    GET
    http://moscow-post.com/xaoniu/server/waungowangued/g.php
    41AKTQO.exe
    Remote address:
    185.71.67.60:80
    Request
    GET /xaoniu/server/waungowangued/g.php HTTP/1.1
    Host: moscow-post.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Cookie: __hash_=c163791db7f1afa1676e7a182b0a6ccd
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx
    Date: Wed, 03 Jan 2024 14:46:23 GMT
    Content-Type: text/html; charset=iso-8859-1
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: __lhash_=2ce2d1655ce376556b6184c83e66c344; Max-Age=604800; Path=/
    Location: http://www.moscow-post.com/xaoniu/server/waungowangued/g.php
  • flag-ru
    GET
    http://moscow-post.com/request
    41AKTQO.exe
    Remote address:
    185.71.67.60:80
    Request
    GET /request HTTP/1.1
    Host: moscow-post.com
    Cache-Control: no-cache
    Cookie: __hash_=c163791db7f1afa1676e7a182b0a6ccd; __lhash_=2ce2d1655ce376556b6184c83e66c344
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx
    Date: Wed, 03 Jan 2024 14:46:37 GMT
    Content-Type: text/html; charset=iso-8859-1
    Transfer-Encoding: chunked
    Connection: keep-alive
    Location: http://moscow-post.com/request/
  • flag-ru
    GET
    http://moscow-post.com/request/
    41AKTQO.exe
    Remote address:
    185.71.67.60:80
    Request
    GET /request/ HTTP/1.1
    Host: moscow-post.com
    Cache-Control: no-cache
    Cookie: __hash_=c163791db7f1afa1676e7a182b0a6ccd; __lhash_=2ce2d1655ce376556b6184c83e66c344
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx
    Date: Wed, 03 Jan 2024 14:46:38 GMT
    Content-Type: text/html; charset=iso-8859-1
    Transfer-Encoding: chunked
    Connection: keep-alive
    Location: http://www.moscow-post.com/request/
  • flag-us
    DNS
    www.moscow-post.com
    41AKTQO.exe
    Remote address:
    8.8.8.8:53
    Request
    www.moscow-post.com
    IN A
    Response
    www.moscow-post.com
    IN A
    185.71.67.60
  • flag-us
    DNS
    www.moscow-post.com
    41AKTQO.exe
    Remote address:
    8.8.8.8:53
    Request
    www.moscow-post.com
    IN A
  • flag-ru
    GET
    http://www.moscow-post.com/xaoniu/server/waungowangued/g.php
    41AKTQO.exe
    Remote address:
    185.71.67.60:80
    Request
    GET /xaoniu/server/waungowangued/g.php HTTP/1.1
    Host: www.moscow-post.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Cookie: __hash_=c163791db7f1afa1676e7a182b0a6ccd; __lhash_=2ce2d1655ce376556b6184c83e66c344
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx
    Date: Wed, 03 Jan 2024 14:46:34 GMT
    Content-Type: text/html; charset=iso-8859-1
    Transfer-Encoding: chunked
    Connection: keep-alive
    Location: http://www.moscow-post.su/xaoniu/server/waungowangued/g.php
  • flag-ru
    GET
    http://www.moscow-post.com/request/
    41AKTQO.exe
    Remote address:
    185.71.67.60:80
    Request
    GET /request/ HTTP/1.1
    Host: www.moscow-post.com
    Cache-Control: no-cache
    Cookie: __hash_=c163791db7f1afa1676e7a182b0a6ccd; __lhash_=2ce2d1655ce376556b6184c83e66c344
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx
    Date: Wed, 03 Jan 2024 14:46:39 GMT
    Content-Type: text/html; charset=iso-8859-1
    Transfer-Encoding: chunked
    Connection: keep-alive
    Location: http://www.moscow-post.su/request/
  • flag-us
    DNS
    www.moscow-post.su
    41AKTQO.exe
    Remote address:
    8.8.8.8:53
    Request
    www.moscow-post.su
    IN A
    Response
    www.moscow-post.su
    IN A
    185.71.67.60
  • flag-us
    DNS
    www.moscow-post.su
    41AKTQO.exe
    Remote address:
    8.8.8.8:53
    Request
    www.moscow-post.su
    IN A
  • flag-ru
    GET
    http://www.moscow-post.su/xaoniu/server/waungowangued/g.php
    41AKTQO.exe
    Remote address:
    185.71.67.60:80
    Request
    GET /xaoniu/server/waungowangued/g.php HTTP/1.1
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: www.moscow-post.su
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Wed, 03 Jan 2024 14:46:37 GMT
    Content-Length: 13510
    Connection: keep-alive
    Set-Cookie: __js_p_=197,1800,0,0,0; Path=/
    Cache-Control: no-cache
    Content-Type: text/html; charset=utf-8
  • flag-ru
    GET
    http://www.moscow-post.su/request/
    41AKTQO.exe
    Remote address:
    185.71.67.60:80
    Request
    GET /request/ HTTP/1.1
    Host: www.moscow-post.su
    Cache-Control: no-cache
    Cookie: __js_p_=197,1800,0,0,0
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Wed, 03 Jan 2024 14:46:39 GMT
    Content-Length: 13510
    Connection: keep-alive
    Set-Cookie: __js_p_=199,1800,0,0,0; Path=/
    Cache-Control: no-cache
    Content-Type: text/html; charset=utf-8
  • 185.71.67.60:80
    http://moscow-post.com/request/
    http
    41AKTQO.exe
    1.7kB
     2.7kB
     15
    15

    HTTP Request

    GET http://moscow-post.com/xaoniu/server/waungowangued/g.php

    HTTP Response

    302

    HTTP Request

    GET http://moscow-post.com/xaoniu/server/waungowangued/g.php

    HTTP Response

    301

    HTTP Request

    GET http://moscow-post.com/request

    HTTP Response

    301

    HTTP Request

    GET http://moscow-post.com/request/

    HTTP Response

    301
  • 185.71.67.60:80
    http://www.moscow-post.com/request/
    http
    41AKTQO.exe
    981 B
     1.6kB
     12
    11

    HTTP Request

    GET http://www.moscow-post.com/xaoniu/server/waungowangued/g.php

    HTTP Response

    301

    HTTP Request

    GET http://www.moscow-post.com/request/

    HTTP Response

    301
  • 185.71.67.60:80
    http://www.moscow-post.su/request/
    http
    41AKTQO.exe
    1.7kB
     30.6kB
     24
    28

    HTTP Request

    GET http://www.moscow-post.su/xaoniu/server/waungowangued/g.php

    HTTP Response

    200

    HTTP Request

    GET http://www.moscow-post.su/request/

    HTTP Response

    200
  • 8.8.8.8:53
    moscow-post.com
    dns
    41AKTQO.exe
    61 B
     77 B
     1
    1

    DNS Request

    moscow-post.com

    DNS Response

    185.71.67.60

  • 8.8.8.8:53
    www.moscow-post.com
    dns
    41AKTQO.exe
    130 B
     81 B
     2
    1

    DNS Request

    www.moscow-post.com

    DNS Request

    www.moscow-post.com

    DNS Response

    185.71.67.60

  • 8.8.8.8:53
    www.moscow-post.su
    dns
    41AKTQO.exe
    128 B
     80 B
     2
    1

    DNS Request

    www.moscow-post.su

    DNS Request

    www.moscow-post.su

    DNS Response

    185.71.67.60

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\41AKTQO.exe
    Filesize

    159KB

    MD5

    a103174262d8c3fd501ffb95323c60b1

    SHA1

    e40f0dd566ba3d50886d3f9e82bf2c108370d62b

    SHA256

    bc65e75fcfee4ff9655005f8496f7c86feb892f0caec33c2208e8381cb967248

    SHA512

    a023dd3997474d427d963a23ccbe7091fdda53d8fde1e1c43eb2e67090a27bd1b0f9eee08757993125cfe10683c38ab0db2194a5847ff51e39d636357c381da2

    Download Submit

  • memory/1388-0-0x00000000010E0000-0x0000000001162000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1388-1-0x00000000748A0000-0x0000000074F8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1388-2-0x0000000000DF0000-0x0000000000E30000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1388-14-0x00000000748A0000-0x0000000074F8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1388-11-0x0000000000C20000-0x0000000000C5D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2384-13-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.