Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

cstealer-m...ler.py

windows7-x64

3

cstealer-m...ler.py

windows10-2004-x64

3

cstealer-m...ll.bat

windows7-x64

1

cstealer-m...ll.bat

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/08/2024, 17:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cstealer-main/install.bat

  • Size

    49B

  • MD5

    ebeaccf4443e852caac1dd62952d3c43

  • SHA1

    02ce957a5144a3dfd1558cb71183b437f6ae37c8

  • SHA256

    ebda70b1032e47f5e35e1de47d993d8d8e0d3718e6d4f345ce6432f6dcffb705

  • SHA512

    34324a97ceb9dd7ac46a4906ae049fbd225ed904bcd85dc0b029ff6e66353d07e41d019c2a8139205a35b492c3f2aee8f674c14019b7006a9672f8bd6d072a49

Score
8/10
defense_evasion

Malware Config

Signatures

  • Downloads MZ/PE file
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cstealer-main\install.bat"
    1⤵
      PID:3596
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4832
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Subvert Trust Controls: Mark-of-the-Web Bypass
        • Checks processor information in registry
        • Modifies registry class
        • NTFS ADS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1888 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {40563d02-8ea1-4464-9901-a47f1153012e} 2712 "\\.\pipe\gecko-crash-server-pipe.2712" gpu
          3⤵
            PID:920
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 23638 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07686b56-3efe-4ba0-985f-2f5ddaf55bf2} 2712 "\\.\pipe\gecko-crash-server-pipe.2712" socket
            3⤵
              PID:4164
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3164 -childID 1 -isForBrowser -prefsHandle 3156 -prefMapHandle 3152 -prefsLen 23779 -prefMapSize 244628 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8d43079-f989-4f19-a692-27de1a60b6c6} 2712 "\\.\pipe\gecko-crash-server-pipe.2712" tab
              3⤵
                PID:1064
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3788 -childID 2 -isForBrowser -prefsHandle 3768 -prefMapHandle 3764 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4ac857c-d696-4b03-bdbf-2142912ca619} 2712 "\\.\pipe\gecko-crash-server-pipe.2712" tab
                3⤵
                  PID:3288
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4776 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4840 -prefMapHandle 4860 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3855e7b1-3809-4511-8dc0-ec338fb0d76b} 2712 "\\.\pipe\gecko-crash-server-pipe.2712" utility
                  3⤵
                  • Checks processor information in registry
                  PID:1440
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1460 -childID 3 -isForBrowser -prefsHandle 1456 -prefMapHandle 5340 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b359c7e4-c2fa-4333-9380-a2152f1e3e95} 2712 "\\.\pipe\gecko-crash-server-pipe.2712" tab
                  3⤵
                    PID:5080
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 4 -isForBrowser -prefsHandle 5508 -prefMapHandle 5512 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb4bac6e-8cbb-416c-9f85-a2fac66914ff} 2712 "\\.\pipe\gecko-crash-server-pipe.2712" tab
                    3⤵
                      PID:1364
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5592 -childID 5 -isForBrowser -prefsHandle 5708 -prefMapHandle 5712 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07003d8d-ef2d-4cbb-be44-20fa987ff25a} 2712 "\\.\pipe\gecko-crash-server-pipe.2712" tab
                      3⤵
                        PID:1156
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6068 -childID 6 -isForBrowser -prefsHandle 6084 -prefMapHandle 6080 -prefsLen 27211 -prefMapSize 244628 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52d912be-f050-45ec-844d-af8f5786d139} 2712 "\\.\pipe\gecko-crash-server-pipe.2712" tab
                        3⤵
                          PID:1172
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3684 -childID 7 -isForBrowser -prefsHandle 5244 -prefMapHandle 5372 -prefsLen 27272 -prefMapSize 244628 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a3ff116-6239-492e-a923-4b53a2cb1edc} 2712 "\\.\pipe\gecko-crash-server-pipe.2712" tab
                          3⤵
                            PID:2708
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -childID 8 -isForBrowser -prefsHandle 5096 -prefMapHandle 5012 -prefsLen 27272 -prefMapSize 244628 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f52f07cc-aef9-4b38-a72a-2d71a128794a} 2712 "\\.\pipe\gecko-crash-server-pipe.2712" tab
                            3⤵
                              PID:2864

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\activity-stream.discovery_stream.json.tmp
                          Filesize

                          21KB

                          MD5

                          0208b5325ae82cef74edbb3c73a9b7f5

                          SHA1

                          05a48f2da14b157bcd1e8a492ff18057278ac287

                          SHA256

                          edecb0dcf202cdeff15d70961cf917834d9a0598182008b75c748585f9ed95a2

                          SHA512

                          93431bc87265dda44d22ecbb621122623dc03b33a33b5d7d5902c9c16e9f60c051d60e3d61171a00359c9f0420085bb659a04e08f1f08f37bbd8d7c4e3171e2e

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                          Filesize

                          479KB

                          MD5

                          09372174e83dbbf696ee732fd2e875bb

                          SHA1

                          ba360186ba650a769f9303f48b7200fb5eaccee1

                          SHA256

                          c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                          SHA512

                          b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                          Filesize

                          13.8MB

                          MD5

                          0a8747a2ac9ac08ae9508f36c6d75692

                          SHA1

                          b287a96fd6cc12433adb42193dfe06111c38eaf0

                          SHA256

                          32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                          SHA512

                          59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin
                          Filesize

                          7KB

                          MD5

                          e700fe15a743fb518aecb1dcd09a85a9

                          SHA1

                          c48a15ee22be6853b4d5c7209a60cc8a499dd557

                          SHA256

                          9ce09cddb489c0dab0a42a0eee69cc3eeb19dc28c03d2c9e798cbc033223dc61

                          SHA512

                          c6cf547b563b3dbd1639ec5c1a62ed742a7e8236a18d658079bbe457cce2be24f08abd0b7a4512d142260e6df091505c4fd857bbbfa665bfbcb805e123f3f06b

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp
                          Filesize

                          22KB

                          MD5

                          3ac47217420f7bb5d08f42b3c964d7de

                          SHA1

                          c53fe49bc606ed92b76d926aa20e226625801f10

                          SHA256

                          adf473e2763840732107b3402f896062057ec515f82b328c3ac6ba5f53cadcac

                          SHA512

                          c976b482551d47f403aac41359f11512cec6b431bef36f7fadd2b9a96d3d64c5982ef217342eefeeb2c7d2a63641aec207372c79ecc1eb49680cd7f22d6f1304

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp
                          Filesize

                          23KB

                          MD5

                          6cf586283a156bf746372697dd0df797

                          SHA1

                          9eaf31564bdd42fe027e7e863dc68900563d068b

                          SHA256

                          ae42fcd80707b215f41d26d4a2ad7f96c24ad58cd655cfab17adbf4b1003f77c

                          SHA512

                          700ea83baf39432f635ea33e87d58f58aa6bb945e9e790e819ee2e5b357406a83e863d3b2d8e94d68f79cc8ad214e2325c2a14abe23cb2e79319ff2d4dd4779a

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\5fd107b5-be8e-47ac-85c4-c1e5e489e56d
                          Filesize

                          982B

                          MD5

                          21cad35ad2f752440490cec7fd88609f

                          SHA1

                          1790479dbffc7d657a1aee40da7e9cfeff99ca09

                          SHA256

                          07dd3a783aa65000c22042ccd86f5a5f037df327f463a89ae72693c85e6a3f77

                          SHA512

                          37f17cc9764e9de3edde98c7ab57837149fcda980571405aa8f2f2513177959863406b5cf552419915353f54fccfb1dd95164982fc5a774dbf5628a8552ca209

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\ac1e2629-7942-43be-80f2-351d3ef1de5b
                          Filesize

                          659B

                          MD5

                          bba2c28e0e97d8b056a347d32e15fe81

                          SHA1

                          dd54bda093731d4b932099d0ec30d92e0fd302f8

                          SHA256

                          da228bafb868a33573b4ad4d91da6c47a173eb3db17278868f50cdd9e05927e1

                          SHA512

                          9b7928197edc9972a7409dd199cf1a74eed1dc0b8e9c9cf63c6fe6963897576bc968a2f37f8bc41e5d101ac7ad785a8dde9061870821ec41de2a10cfb8945620

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                          Filesize

                          1.1MB

                          MD5

                          842039753bf41fa5e11b3a1383061a87

                          SHA1

                          3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                          SHA256

                          d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                          SHA512

                          d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                          Filesize

                          116B

                          MD5

                          2a461e9eb87fd1955cea740a3444ee7a

                          SHA1

                          b10755914c713f5a4677494dbe8a686ed458c3c5

                          SHA256

                          4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                          SHA512

                          34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                          Filesize

                          372B

                          MD5

                          bf957ad58b55f64219ab3f793e374316

                          SHA1

                          a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                          SHA256

                          bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                          SHA512

                          79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                          Filesize

                          11.4MB

                          MD5

                          1ce7130c794f24eb267fb6aefad204a7

                          SHA1

                          b54ca5ee79178abc2829f459923309b542b4faa0

                          SHA256

                          cc89790b83b24fc29a40178c10fdb9c0a6b094248c7c19789bcc27f6fb685917

                          SHA512

                          a051d7ea29c37a123a09c3172b12e3f8899733e7c477f37271b5df706bbae60d6be88ac34da88961f378226c855a0e4149f57dfd2cc38045c55a18f5cd83c3b1

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js
                          Filesize

                          11KB

                          MD5

                          ea349803ac0a1b89c2eee2d0cd57fb92

                          SHA1

                          d20af73220107028ba4fb9ac12cefb8b59212c81

                          SHA256

                          dfd7f3d0ebb08226273dd47f0a94c8381451ed6fa0bc0cf41ea5ecf937cff68a

                          SHA512

                          e408df22d5de8936c66888690734a0e82ecfb7e2e1d82414c6cf49d9a9dbf99594a25e2389cfb2945b6779a9f4567531d2cdcfd5bb0fa7be3bcc46530bb6a8b1

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js
                          Filesize

                          12KB

                          MD5

                          20e89fdb6b77e6dc89ba0c9e10e2880f

                          SHA1

                          af4599fcb439e13a5092d46ba0619d969ee0749a

                          SHA256

                          9be446f35651b9f0e351a1647bf0162f1fc2e08b5253c141bdd84697922fd34b

                          SHA512

                          0102c019afdc4de78ff38469e2c2f20c0c3692d99306a57a3bf997aa1efbdb03faf67759431e3827c146d4ffb0257da68a371903b893df0d5a618ffbc9996c76

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js
                          Filesize

                          10KB

                          MD5

                          6f01b2b8cea418a5aa616165078a8245

                          SHA1

                          44ef8cec89f20fa1aec9b706d30041b647739a58

                          SHA256

                          e594c32d3e020d34f6800a6605d8653d7143a28b8f00901b833c2d113e271a35

                          SHA512

                          3c8280d074a1066ea1d4fd8ec94672e15e1ddf5f5d5c78638ef7c974229f1e26fd09d568e549a7d58905b0f89bf4ffc8b0a91cbcbcfafc0644adea4572bf76ee

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js
                          Filesize

                          11KB

                          MD5

                          ad5f865cd819b8731ed5afafcc6d51a4

                          SHA1

                          378c0eefc5c5824b12d313cce0b27468eb310690

                          SHA256

                          b0737a781d8acb6227da1991092d258a8d16ac97a54b9b18480e0285ebdce339

                          SHA512

                          f74cd57153c60fb3de3971d2b6806740b9bcf609f7711f95380f2d1016c2111b9530dd2d9519fac7df60ee6f89168ecc9868987ee0941aa62cbd1295041f82cf

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4
                          Filesize

                          5KB

                          MD5

                          5f744042b23010bd219c82d7ec3c5a94

                          SHA1

                          b7a6cb7dabd88ef740194ca97d743d53ed66bc07

                          SHA256

                          bb1872cb1119edc6ca87ae6b951a3f3d5f8e1101a05f7ad6f3c46af7c9cb269d

                          SHA512

                          46bb0944f35bbb859bffd148796eeb9828120a3b9bdf0b019e09d42c021782963db02e4deed358976af38c2a41f907756a381a560430984ab7ecdf3f34adfc4f

                          Download Submit

                        • C:\Users\Admin\Downloads\python-3.KvkuCXww.12.4-amd64.exe.part
                          Filesize

                          25.5MB

                          MD5

                          f3df1be26cc7cbd8252ab5632b62d740

                          SHA1

                          3b1f54802b4cb8c02d1eb78fc79f95f91e8e49e4

                          SHA256

                          da5809df5cb05200b3a528a186f39b7d6186376ce051b0a393f1ddf67c995258

                          SHA512

                          2f9a11ffae6d9f1ed76bf816f28812fcba71f87080b0c92e52bfccb46243118c5803a7e25dd78003ca7d66501bfcdce8ff7c691c63c0038b0d409ca3842dcc89

                          Download Submit