Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
2024-06-24_4aef5da701cfa3b82624aa947c4a70ca_ngrbot_poet-rat_snatch
-
Size
9.5MB
-
Sample
240624-eh1jnawhkf
-
MD5
4aef5da701cfa3b82624aa947c4a70ca
-
SHA1
4f3d48c3b29a8abee5e293cec02aa975c5a80f99
-
SHA256
4f10480dea6509d5d660ad7bb7d8169b51b66badc4996068a325c15ea4ae9dd6
-
SHA512
11ff77315b9f0a18e295efa6629a095e7c593c91b74dcfa73fd68f376586fc325b78e4db307a73e634b500f5c351209ad7da853dc49859a51fd7273ef5bda0ba
-
SSDEEP
98304:tcJW4J6EdbyvYB8LY0iyo4t2EyzxqFgzC13h:onJ6EIwAY0iyrtzyzPC13h
Malware Config
Extracted
skuld
https://discord.com/api/webhooks/1253112821869445170/mrbfEJTpSvfpjbbvCVeYAiI0KbjjcCUTKgpRyRHniWbHDTS44OWIj4mT-_XnWPFVYi9F
Targets
-
-
Target
2024-06-24_4aef5da701cfa3b82624aa947c4a70ca_ngrbot_poet-rat_snatch
-
Size
9.5MB
-
MD5
4aef5da701cfa3b82624aa947c4a70ca
-
SHA1
4f3d48c3b29a8abee5e293cec02aa975c5a80f99
-
SHA256
4f10480dea6509d5d660ad7bb7d8169b51b66badc4996068a325c15ea4ae9dd6
-
SHA512
11ff77315b9f0a18e295efa6629a095e7c593c91b74dcfa73fd68f376586fc325b78e4db307a73e634b500f5c351209ad7da853dc49859a51fd7273ef5bda0ba
-
SSDEEP
98304:tcJW4J6EdbyvYB8LY0iyo4t2EyzxqFgzC13h:onJ6EIwAY0iyrtzyzPC13h
Score10/10-
Skuld stealer
An info stealer written in Go lang.
-
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables Discord URL observed in first stage droppers
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers
-
Detects executables containing URLs to raw contents of a Github gist
-
Detects executables containing possible sandbox system UUIDs
-
Detects executables referencing virtualization MAC addresses
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1