Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    main (1).exe

  • Size

    89KB

  • Sample

    240714-25v9sayhkc

  • MD5

    755ee27c14914293c29ce91be08c20df

  • SHA1

    cd4b0c9f25261d59689416734f9495a0c30bde17

  • SHA256

    f57315d9f70cab67669c23e10b081aac70f336369605d8c5e3079411f61e36de

  • SHA512

    a250ef4af67d0b5cb4d671ae72f689fcfc4704c0ce99768a7408e0824b1465f9e94e9027f8e6b2855bc0dfe4201deca85333809d34fad617e7ab411c7e10540c

  • SSDEEP

    1536:R97fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfBweOy:Rp7DhdC6kzWypvaQ0FxyNTBfBt

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://full-recording.gl.at.ply.gg:14817/data

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1

Targets

    • Target

      main (1).exe

    • Size

      89KB

    • MD5

      755ee27c14914293c29ce91be08c20df

    • SHA1

      cd4b0c9f25261d59689416734f9495a0c30bde17

    • SHA256

      f57315d9f70cab67669c23e10b081aac70f336369605d8c5e3079411f61e36de

    • SHA512

      a250ef4af67d0b5cb4d671ae72f689fcfc4704c0ce99768a7408e0824b1465f9e94e9027f8e6b2855bc0dfe4201deca85333809d34fad617e7ab411c7e10540c

    • SSDEEP

      1536:R97fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfBweOy:Rp7DhdC6kzWypvaQ0FxyNTBfBt

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks