Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    18382f6c7f8b52c779243c6cc7d4cbc51a95d31d40bc748bc2ec65c63219c358.ps1

  • Size

    72KB

  • Sample

    240705-be6pqaycpm

  • MD5

    51299f3a266034e35d706a1d0aa5580b

  • SHA1

    3c9ef68f69b9f8c2941e9d765ae0ae8df9bfdf14

  • SHA256

    18382f6c7f8b52c779243c6cc7d4cbc51a95d31d40bc748bc2ec65c63219c358

  • SHA512

    b125b9e91fd5b3516ed5218d47316a9f4c6f052ae7c4d517eae18abb8643f1145adf117eb2d852ee684e1ffef4d85c0aab33935cebc0effc11e3f160a5bb0b23

  • SSDEEP

    1536:F8SdVn5ahg5yYp6zdv/5l05Qo8l01zhwZPhZcLrJS7srHX6Cg:F8SdVn5Uwiv/5IQo8l01zhw5hUr9KCg

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://github.com/ChildrenOfYahweh/Kematian-Stealer/raw/main/frontend-src/blockhosts.ps1

exe.dropper

https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/antivm.ps1

exe.dropper

http://ip-api.com/json

exe.dropper

https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1

exe.dropper

https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1

Targets

    • Target

      18382f6c7f8b52c779243c6cc7d4cbc51a95d31d40bc748bc2ec65c63219c358.ps1

    • Size

      72KB

    • MD5

      51299f3a266034e35d706a1d0aa5580b

    • SHA1

      3c9ef68f69b9f8c2941e9d765ae0ae8df9bfdf14

    • SHA256

      18382f6c7f8b52c779243c6cc7d4cbc51a95d31d40bc748bc2ec65c63219c358

    • SHA512

      b125b9e91fd5b3516ed5218d47316a9f4c6f052ae7c4d517eae18abb8643f1145adf117eb2d852ee684e1ffef4d85c0aab33935cebc0effc11e3f160a5bb0b23

    • SSDEEP

      1536:F8SdVn5ahg5yYp6zdv/5l05Qo8l01zhwZPhZcLrJS7srHX6Cg:F8SdVn5Uwiv/5IQo8l01zhw5hUr9KCg

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks