Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    a190d0b27496535d769fcefad1c9cd7ccb95f0a8b31420d56a0fb04ee296e729

  • Size

    2.4MB

  • Sample

    240709-gtywbasajc

  • MD5

    dc6d0e94da95046ac49210eb69d07f3a

  • SHA1

    b4eafd79759bbf40a1205f2d523a0820c434d4f4

  • SHA256

    a190d0b27496535d769fcefad1c9cd7ccb95f0a8b31420d56a0fb04ee296e729

  • SHA512

    98ed20e3ea7eaf0e03415a319a2e705df07be86cb6c9323936ead95961819f300861dbac59446b2c79ab28dd354b150bc1aa5f835c135dbfa2d0347b3e24bc24

  • SSDEEP

    49152:kx6msz9jU7CmI3hqFHGiAX3wv//EJQQ/6lUyiMcIzC0+bS+2lV0:RZUGmIxqFHiX3w8JQU6lUdMxzL+bS+2+

Malware Config

Extracted

Family

stealc

Botnet

Nice

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Targets

    • Target

      43fefcf79068cf7cb0b45426f60c89eb92943c652be486e9b9ecd7d5b92ce282.exe

    • Size

      2.4MB

    • MD5

      b618c6daef256eeded4cc8c92b5f7110

    • SHA1

      f4775fb13f91ac4dede2f2bd24bb0170851923e7

    • SHA256

      43fefcf79068cf7cb0b45426f60c89eb92943c652be486e9b9ecd7d5b92ce282

    • SHA512

      27b526f5f821dc74f1a555795a14c74e5532898681dfebc4ddc08df334fccd60feea931e9db038056df28a509cfc813cd281db3ad382072d52aaae57ecc0f2e6

    • SSDEEP

      49152:HIChsgHpNPYI9N/DsLps9bOULnDs4g3kGh8haNZ+OmFIYk4xO:oZgHTwI9N/oL8Osn9pGIaf+qY5

    • Stealc

      Stealc is an infostealer written in C++.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks