Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
7671fc7acb0...20.exe
windows7-x64
10671fc7acb0...20.exe
windows10-2004-x64
10$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
3$TEMP/BroomSetup.exe
windows7-x64
7$TEMP/BroomSetup.exe
windows10-2004-x64
7$TEMP/syncUpd.exe
windows7-x64
10$TEMP/syncUpd.exe
windows10-2004-x64
10General
-
Target
671fc7acb0f580ff3a30e09ebeee1e3205aa9a446f75616b542fbd0a3aa1b120
-
Size
2.0MB
-
Sample
240312-xvcbpsbb37
-
MD5
0f115f24c7465cfa6a1679b3464f5771
-
SHA1
131e8238bd8605714add657992ba6efdaf424604
-
SHA256
671fc7acb0f580ff3a30e09ebeee1e3205aa9a446f75616b542fbd0a3aa1b120
-
SHA512
0ec11d304004729c9493d847123e947beeb0ef1e4c5268ea542e36b247e958effb4f847baacecb444dd3bba507e455a5f621c0ee23fc8cedf0736a351832ad28
-
SSDEEP
49152:LtM+Cjo7TVrVH/qinqKgGOpa2PGLN2/5bsPwWFVICIEGxMa27:C+/VrcoqK06vwEV2rQ
Behavioral task
behavioral1
Sample
671fc7acb0f580ff3a30e09ebeee1e3205aa9a446f75616b542fbd0a3aa1b120.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
671fc7acb0f580ff3a30e09ebeee1e3205aa9a446f75616b542fbd0a3aa1b120.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$TEMP/BroomSetup.exe
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
$TEMP/BroomSetup.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$TEMP/syncUpd.exe
Resource
win7-20240221-en
Malware Config
Extracted
stealc
http://185.172.128.145
-
url_path
/3cd2b41cbde8fc9c.php
Targets
-
-
Target
671fc7acb0f580ff3a30e09ebeee1e3205aa9a446f75616b542fbd0a3aa1b120
-
Size
2.0MB
-
MD5
0f115f24c7465cfa6a1679b3464f5771
-
SHA1
131e8238bd8605714add657992ba6efdaf424604
-
SHA256
671fc7acb0f580ff3a30e09ebeee1e3205aa9a446f75616b542fbd0a3aa1b120
-
SHA512
0ec11d304004729c9493d847123e947beeb0ef1e4c5268ea542e36b247e958effb4f847baacecb444dd3bba507e455a5f621c0ee23fc8cedf0736a351832ad28
-
SSDEEP
49152:LtM+Cjo7TVrVH/qinqKgGOpa2PGLN2/5bsPwWFVICIEGxMa27:C+/VrcoqK06vwEV2rQ
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
$PLUGINSDIR/INetC.dll
-
Size
21KB
-
MD5
2b342079303895c50af8040a91f30f71
-
SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e
-
SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
-
SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
SSDEEP
384:KOoVVefeWsI7rsIquPLNN546o0Ac9khYLMkIX0+Gzyekv:4VVaeE7wIqyJN5i
Score3/10 -
-
-
Target
$TEMP/BroomSetup.exe
-
Size
1.7MB
-
MD5
eee5ddcffbed16222cac0a1b4e2e466e
-
SHA1
28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
-
SHA256
2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
-
SHA512
8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc
-
SSDEEP
49152:YUnaQiKJ8N+AadA6mICFhNGffVCPi9NUko6jE:ZwKa+u6mICFSwPKDK
Score7/10 -
-
-
Target
$TEMP/syncUpd.exe
-
Size
200KB
-
MD5
11a8185b4885be3b627a0231d08719ae
-
SHA1
8b18353b7a52d66e4a868e4d12a21a0533fa0ee0
-
SHA256
2b26a0dac779643189180d9e50ace8e299c5487a9a8cdaf4300cc64a9d674b33
-
SHA512
091c82a9063b5371cc5d35e51dc73c956160477d0293137ae14fa4a7ec70ddc68a2dbd8601bbb8a80636b793c0e53b0887674a6bf3c383354d8722af083a4d6b
-
SSDEEP
3072:pHOLgO34PMRjf0jtAV+vQoCNJpuumeuG3BYBI3PuHhCadEZE+:pEg8RIOVboCZuAwW
Score10/10-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-