Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    a95b60573d18671bea63aafbb3f8dad7b94e3a30f51d9dbfaefdb8c96eccb956

  • Size

    397KB

  • Sample

    240327-v271vacc61

  • MD5

    36c49ce4084f9ed89e8897d38fac5086

  • SHA1

    1b2ae8d85f8fd6666e8e5d9597f4810f07c809c8

  • SHA256

    a95b60573d18671bea63aafbb3f8dad7b94e3a30f51d9dbfaefdb8c96eccb956

  • SHA512

    60f9e9145556f73af8c9a19841c53441612287cf37d7bd46b7177e432e91974b2c96b9471c65bad4c7bb21ec9c0bb659c120777b1291a2b5783a6bceea54533c

  • SSDEEP

    6144:Kici2Jk2Qs+04iUiCLsMcOTjqXVbeH0g3/ODSLwmpeEI7UJYOd1swUa3R6l:gi2JJv+KUiZMcoSeT3gm9zJYOMwRol

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.209

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Targets

    • Target

      a95b60573d18671bea63aafbb3f8dad7b94e3a30f51d9dbfaefdb8c96eccb956

    • Size

      397KB

    • MD5

      36c49ce4084f9ed89e8897d38fac5086

    • SHA1

      1b2ae8d85f8fd6666e8e5d9597f4810f07c809c8

    • SHA256

      a95b60573d18671bea63aafbb3f8dad7b94e3a30f51d9dbfaefdb8c96eccb956

    • SHA512

      60f9e9145556f73af8c9a19841c53441612287cf37d7bd46b7177e432e91974b2c96b9471c65bad4c7bb21ec9c0bb659c120777b1291a2b5783a6bceea54533c

    • SSDEEP

      6144:Kici2Jk2Qs+04iUiCLsMcOTjqXVbeH0g3/ODSLwmpeEI7UJYOd1swUa3R6l:gi2JJv+KUiZMcoSeT3gm9zJYOMwRol

    • Stealc

      Stealc is an infostealer written in C++.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks