Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b

  • Size

    445KB

  • Sample

    240502-2pt2sagf3y

  • MD5

    a8985bb70c650992e207ddd25c5e6a3e

  • SHA1

    0329a58e279c966e17c667774d6f0c649475bffa

  • SHA256

    65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b

  • SHA512

    4c7c0c5a4a66ee91fcb7da3bcd45f9600f5d1c1f601b96cda283671c77342183d9156e1333b7cbadd1366d9f805b25b2e32e9b30b9e108bd61a6f22d81b61035

  • SSDEEP

    12288:f9zyluCg7RvcQ7tZRsuPE16N0N9k9ptHMx:PCg7RvcKKnitHMx

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Targets

    • Target

      65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b

    • Size

      445KB

    • MD5

      a8985bb70c650992e207ddd25c5e6a3e

    • SHA1

      0329a58e279c966e17c667774d6f0c649475bffa

    • SHA256

      65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b

    • SHA512

      4c7c0c5a4a66ee91fcb7da3bcd45f9600f5d1c1f601b96cda283671c77342183d9156e1333b7cbadd1366d9f805b25b2e32e9b30b9e108bd61a6f22d81b61035

    • SSDEEP

      12288:f9zyluCg7RvcQ7tZRsuPE16N0N9k9ptHMx:PCg7RvcKKnitHMx

    • Detect ZGRat V1

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Detect binaries embedding considerable number of MFA browser extension IDs.

    • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects encrypted or obfuscated .NET executables

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks