Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090
-
Size
1.8MB
-
Sample
240818-qavh8avbje
-
MD5
8bcd388ed9e8762c812ec36614f17982
-
SHA1
fae03863e3f80e04271b7835bcc9ff4865f2c219
-
SHA256
10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090
-
SHA512
1e979e850a172431f7b4c814f336cebbf16072b38a6bd8ebb686dfddbbd056a3cd59aae09f7790641b871e6080d1cf357ae3cc2d2771739e7248c3eb86a08764
-
SSDEEP
49152:Z+WmGAH90soxYipeD4FMVlKpPBhwLqINUAyADXnfw7NB3ZynYczB:Z++A6zPpeU+VloP/zA5DXo7NVoYc
Static task
static1
Behavioral task
behavioral1
Sample
10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Targets
-
-
Target
10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090
-
Size
1.8MB
-
MD5
8bcd388ed9e8762c812ec36614f17982
-
SHA1
fae03863e3f80e04271b7835bcc9ff4865f2c219
-
SHA256
10afb5f99e9f494907a0b47823e69573301e7715ab389457bdcd391d8e9cf090
-
SHA512
1e979e850a172431f7b4c814f336cebbf16072b38a6bd8ebb686dfddbbd056a3cd59aae09f7790641b871e6080d1cf357ae3cc2d2771739e7248c3eb86a08764
-
SSDEEP
49152:Z+WmGAH90soxYipeD4FMVlKpPBhwLqINUAyADXnfw7NB3ZynYczB:Z++A6zPpeU+VloP/zA5DXo7NVoYc
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1