Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    finestztaxes.exe

  • Size

    73.0MB

  • Sample

    240725-qgf96stcmh

  • MD5

    42b04f5496cda4442d623e244e1132fc

  • SHA1

    c24a6609336b8c17d2a494a63ca4ebe807487a6e

  • SHA256

    4ca523cee9a090bf53f0b388424f9a946a18e8fcb863ecd3bcc0e0435854ea26

  • SHA512

    3fdce54518691860c3a4a2846fe08c04c6c1a5d8db22d138da8143765675fe9b3bd0e36bb3450aa608886e899303f0396031d5eb5c4ab1edba811fb50060b758

  • SSDEEP

    1572864:PejOYf5LK9FIXMNo2EBQ2WZPOryvRCW7zjI4Qp1HrP97:P4eFI8O2EBQ2NzW/jI4O1LV7

Malware Config

Targets

    • Target

      finestztaxes.exe

    • Size

      73.0MB

    • MD5

      42b04f5496cda4442d623e244e1132fc

    • SHA1

      c24a6609336b8c17d2a494a63ca4ebe807487a6e

    • SHA256

      4ca523cee9a090bf53f0b388424f9a946a18e8fcb863ecd3bcc0e0435854ea26

    • SHA512

      3fdce54518691860c3a4a2846fe08c04c6c1a5d8db22d138da8143765675fe9b3bd0e36bb3450aa608886e899303f0396031d5eb5c4ab1edba811fb50060b758

    • SSDEEP

      1572864:PejOYf5LK9FIXMNo2EBQ2WZPOryvRCW7zjI4Qp1HrP97:P4eFI8O2EBQ2NzW/jI4O1LV7

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • An obfuscated cmd.exe command-line is typically used to evade detection.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks