Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37

  • Size

    6.3MB

  • Sample

    240825-g8g64s1ekm

  • MD5

    9190aaff6a444edb896ed5c228c26276

  • SHA1

    e7a1745c17b141159e87a6d8ade23ac7815c74d9

  • SHA256

    e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37

  • SHA512

    aa75ce03ef8594f066ffc2d16e0658637a6d9544c81555b8199a4d17fd42e35980e8a676f9f5b700ba966f3563cdd4816714014bcf5533e42b16379540c9a6b8

  • SSDEEP

    196608:z6xePNL9ONBrYuU7yBCiAYPnGjzJIerhV5Q:zAA99ONuC5AYPnYJIe1V5

Malware Config

Targets

    • Target

      e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37

    • Size

      6.3MB

    • MD5

      9190aaff6a444edb896ed5c228c26276

    • SHA1

      e7a1745c17b141159e87a6d8ade23ac7815c74d9

    • SHA256

      e275e8febf42d63d37ded05b4e6aacc1b36b9ace6318cd09d65b822037464c37

    • SHA512

      aa75ce03ef8594f066ffc2d16e0658637a6d9544c81555b8199a4d17fd42e35980e8a676f9f5b700ba966f3563cdd4816714014bcf5533e42b16379540c9a6b8

    • SSDEEP

      196608:z6xePNL9ONBrYuU7yBCiAYPnGjzJIerhV5Q:zAA99ONuC5AYPnYJIe1V5

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Modifies Windows Firewall

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      959ea64598b9a3e494c00e8fa793be7e

    • SHA1

      40f284a3b92c2f04b1038def79579d4b3d066ee0

    • SHA256

      03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

    • SHA512

      5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

    • SSDEEP

      192:sRer7uivwq1XpKs4FVWSjMd8tIg2cREbyCsZ8q2R4Sy+Xe:s67Xws4FVWig86/5eCBqSy+Xe

    Score
    3/10
    • Target

      $PLUGINSDIR/UserInfo.dll

    • Size

      4KB

    • MD5

      d16e06c5de8fb8213a0464568ed9852f

    • SHA1

      d063690dc0d2c824f714acb5c4bcede3aa193f03

    • SHA256

      728472ba312ae8af7f30d758ab473e0772477a68fcd1d2d547dafe6d8800d531

    • SHA512

      60502bb65d91a1a895f38bd0f070738152af58ffa4ac80bac3954aa8aad9fda9666e773988cbd00ce4741d2454bf5f2e0474ce8ea18cfe863ec4c36d09d1e27a

    Score
    3/10
    • Target

      $SYSDIR/CEA_Crypt.dll

    • Size

      60KB

    • MD5

      b57da4ef6c923514de0efe4d4f409ca2

    • SHA1

      638ef69da94f513955db4e5349b69c1ecbf4b9d8

    • SHA256

      1161c3fac4a43485640a80336dd0edbc5569f332b3f36839dcebc8663ab8761b

    • SHA512

      ad755429be4ac006354cd8d4bf8877baef093418d6b3e20af6c7da8fb8e441314c3dc37544510c2462abc4204013da12c1747fa974242ebbc6f8484858a1496e

    • SSDEEP

      768:EkpSRkT6Zwg4TcYFsF3TaDvwHpVJOdKB67GrYxw/l+MSpL0Gt:EbDh4TcR3ODQzoK6GrYi+2Gt

    Score
    3/10
    • Target

      $SYSDIR/FTInitlize_bank.ocx

    • Size

      50KB

    • MD5

      f4641328913d7c18982cce4c99f580e0

    • SHA1

      4250757a8455d59fdfdbff67d2b6b12939c83673

    • SHA256

      09f584a625ea2f6b6c26a609c12457763504b4d0ee55cff4c2d9417f5a787fd8

    • SHA512

      f3de30d3cd4312529c5706a1c377b3086987617dc9901c7e051c3c578d3f38c6888bc6898708f653962f832cf4ac5388f21ace66aadf15421686a139f55cb438

    • SSDEEP

      768:EM7eEsCWff3DpjTKRbcvWnnqJJwZYi8pqAMxkEI1:1e4C3NjTKG8nIJe70IxQ

    Score
    3/10
    • Target

      $SYSDIR/InterPass2000P11.dll

    • Size

      892KB

    • MD5

      809f63601ef78a3cbcbdfab1f4816f73

    • SHA1

      6122e2108502b7e52c8a07e8953daf2dfd54c6dd

    • SHA256

      806b77200f87f245a39da02bb7548654ce11cf7ebbbc123c72a93f93c74ca7f0

    • SHA512

      6496887b99a271c06d6bc59b54c99e3fe6108bed199d86c07b5b3945dcd362a396a925a9579f8fe16239a3d794347504d63f031d51d70624e06021bcad3b1434

    • SSDEEP

      24576:5Z5Sl7ZaOE7tiGJhDlqAony9OK+TdLO4og8CDtjYM42q4S:fA0QdLOQ8O5x42q4S

    Score
    3/10
    • Target

      $SYSDIR/InterPass2000P11_s.dll

    • Size

      10KB

    • MD5

      6b27956ba886ee230281d205e09e91a9

    • SHA1

      d5c7d9297df241b52573d03185a66528a84f5488

    • SHA256

      3df383f4b0195620badc0bb9f5e1d86ebdb4975b60da4b910a26fee9b4af474f

    • SHA512

      e7b9d770ef04dda2c2cf144c218851b2b933d59395caff6594e70d0d71db4a78319a51bcbd3479668ab7dad56acee4a24cc3c4206186ad6cc91f5314a498212a

    • SSDEEP

      96:Dpn00KCDOVnXB+im0KcOqW/PLZISj0epuVuw6YQCcTvka9IN80KIbWUksykajqq1:PAXBRQC3a9C8nZUadXe/09OFH

    Score
    3/10
    • Target

      $SYSDIR/PassGuardCtrl.dll

    • Size

      2.0MB

    • MD5

      174a19cd3a960100dbeb43fb9428bf02

    • SHA1

      5bb0fa68ee4ec2a74b7c7ceb9ff1f42e42da54cb

    • SHA256

      15333c63027b7e91c3298e566ee8bd1abcf61fb2699570280e66a84136ae7fba

    • SHA512

      20f698d8651f61c370c840b9bbfbef8ee5b53c655c0d1b0dd704f2670bdaeb9366279e3182ff99a36b43f4d664dde1bbfeef9dc3032b0b5c769c3c81faf57aab

    • SSDEEP

      49152:Tm4ggt/EcTPjh5e8uSdORm6ivr4qFFfS2bn1MF+7x/d3X16sUVE:Dg6zuS8m6ivr7SqFx/9XdUS

    Score
    5/10
    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      $SYSDIR/PassGuardCtrlForYBXY/PassGuardCtrl.dll

    • Size

      2.0MB

    • MD5

      174a19cd3a960100dbeb43fb9428bf02

    • SHA1

      5bb0fa68ee4ec2a74b7c7ceb9ff1f42e42da54cb

    • SHA256

      15333c63027b7e91c3298e566ee8bd1abcf61fb2699570280e66a84136ae7fba

    • SHA512

      20f698d8651f61c370c840b9bbfbef8ee5b53c655c0d1b0dd704f2670bdaeb9366279e3182ff99a36b43f4d664dde1bbfeef9dc3032b0b5c769c3c81faf57aab

    • SSDEEP

      49152:Tm4ggt/EcTPjh5e8uSdORm6ivr4qFFfS2bn1MF+7x/d3X16sUVE:Dg6zuS8m6ivr7SqFx/9XdUS

    Score
    5/10
    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      $SYSDIR/PassGuardCtrlForYBXY/passguardwin7ins.exe

    • Size

      524KB

    • MD5

      b40dc2b850c541138161080e8349a9fb

    • SHA1

      8e9c77b96baa956c1c9ca8887f29ae92bfb1173d

    • SHA256

      287d8914e42ade8139f23a93fc3c1bfe8e82bfce57acc2219ef9d4b7f7bf303e

    • SHA512

      6165c4660f60977abe05cdc8bdb87d2ae5b4a424e6ce19e2d5829af3135e735e26ca17887cf5be319e85861c2d656cc9f4fd8847ace8c8a81b621b464f8d34a4

    • SSDEEP

      12288:3XeT29v49ZFqjw6/SIojaiGXa5NUFoFh3UvhnmIBzGxDqIbYX:3XdA9ZySX2i2aIFoknmwYE

    Score
    3/10
    • Target

      $SYSDIR/PassGuardX64ForYBXY/PassGuardX64.dll

    • Size

      3.3MB

    • MD5

      c51656b26119aacd1a46c0e0a595a39c

    • SHA1

      b75d8b77297d2fd7f6f7763a3d50ea06beb396e6

    • SHA256

      665e7de614a196741af1a52b48f91453136d0bce3e0048699b3b115e3c7078b9

    • SHA512

      a2a3747dc518249599097bec700cb09b1551b6d9052d0225f5e4abf2d458acff6edd4867db81685bb94c71c6dc5302f868be8de170ca6804ab79288c5a5afaf7

    • SSDEEP

      49152:WYbgS0xNu63rtrgwNAOa1qXEeaenHgJEomipl4LgziNXfzEurRnKtAGeXbyg10:WYS5aG7onlw75fzE+RKtALLyy0

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      $SYSDIR/PassGuardX64ForYBXY/passguardwin7ins.exe

    • Size

      176KB

    • MD5

      feeebfd24b6e6b490dae219d0db511ac

    • SHA1

      851be598f328916c72efdc01e97908d3717bc24c

    • SHA256

      2cff7d0b83c051a4677d9313976aaefc328c53c6851ab30a1524221ef571acd2

    • SHA512

      28d3099930f4073bf40c301109a0494767a2eb4fd2d09d6e729a82f41e0ce63edac65d69b5047120490b5598907db19d21a182736dc793b0e193b64e5b4d0532

    • SSDEEP

      3072:V3Gmsh8wZitP7uTpj6h/cTU6uD+OUicVTMBzGxKzmqktXbhaczc:Imsh80zp2h/cT5u31oIBzGxKzmq2XbK

    Score
    3/10
    • Target

      $SYSDIR/passguardwin7ins.exe

    • Size

      524KB

    • MD5

      b40dc2b850c541138161080e8349a9fb

    • SHA1

      8e9c77b96baa956c1c9ca8887f29ae92bfb1173d

    • SHA256

      287d8914e42ade8139f23a93fc3c1bfe8e82bfce57acc2219ef9d4b7f7bf303e

    • SHA512

      6165c4660f60977abe05cdc8bdb87d2ae5b4a424e6ce19e2d5829af3135e735e26ca17887cf5be319e85861c2d656cc9f4fd8847ace8c8a81b621b464f8d34a4

    • SSDEEP

      12288:3XeT29v49ZFqjw6/SIojaiGXa5NUFoFh3UvhnmIBzGxDqIbYX:3XdA9ZySX2i2aIFoknmwYE

    Score
    3/10
    • Target

      $SYSDIR/printCtl4RA.dll

    • Size

      124KB

    • MD5

      a89ea3892bfe94be61231dedc9263cd8

    • SHA1

      768a8e6a08621f22447567dd96fde590071696ef

    • SHA256

      12d5a0d88d72b088face2209427d1d9f116179eb48a90da27902f5712590d86c

    • SHA512

      d3bc89d4fdd2de9b6cd2ea11cc3c12f6a524c7f07164590bdc8f12f36cc59432ff0dd8cb63bcbf40fa18cc064ba5646fa2c0c931439c6f8d39579676e0d16761

    • SSDEEP

      3072:H5mgucQOCStrFrfaRqUgLRy2J0kGAqb9icB/KLY:xCSrtLZJ0OC5/1

    Score
    3/10
    • Target

      $SYSDIR/stwebdll.dll

    • Size

      104KB

    • MD5

      92119ff7a175e5635b87726306d82635

    • SHA1

      6125103765180006ff3923ab03bf32d33dd491cc

    • SHA256

      89cf6ae4df753095e06b2237e1127c8d0cc6cb879d877287355de47b59d08f28

    • SHA512

      2130595f4a2be6ede12ff65084cbb90ffcb898fb5eb379cffaee5a4967305b6aa3c2b04e1a954b9d84000eee4d76447ceaf6031d3d0b0b09d7adf8330a750622

    • SSDEEP

      1536:weCN8rpRhbxfocQBfH/0B0sxOtTvAWsTNjF1A+OWDlSuHnZQsoQnz8NZWYK+2GA:b1RhKcQBffc0sQAxjFSYlRH6sokz8HbK

    Score
    3/10
    • Target

      $TEMP/EsWebSocketKit.exe

    • Size

      2.0MB

    • MD5

      03608817f4280e182fe17dcc532b78af

    • SHA1

      3810abd4bab3e9b962c96019a2e73422c90fbc31

    • SHA256

      211e3a7eac588949321ab2bafd1317a18b5c33f5064faff26f5b1d409d73e4d3

    • SHA512

      aa1f690f29e893b61a2ae18eb364457aab7086ccfa6394bd46b60e94f6d7834f93b6a5e336a32dae251fb79db0a70265d3ca0703c19cd6d99314aecef6cfae5f

    • SSDEEP

      49152:xQxqVOQPx6T4ooThi+cKS6aWM0A5sT4KV3Bm:xQxqVM4Xi+/7aW3wsNJg

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Modifies Windows Firewall

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

discoveryevasionpersistenceprivilege_escalationspywarestealer
Score
7/10

behavioral2

discoveryevasionpersistenceprivilege_escalationspywarestealer
Score
7/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

discovery
Score
5/10

behavioral16

discovery
Score
5/10

behavioral17

discovery
Score
5/10

behavioral18

discovery
Score
5/10

behavioral19

discovery
Score
3/10

behavioral20

discovery
Score
3/10

behavioral21

persistenceprivilege_escalation
Score
7/10

behavioral22

Score
5/10

behavioral23

discovery
Score
3/10

behavioral24

discovery
Score
3/10

behavioral25

discovery
Score
3/10

behavioral26

discovery
Score
3/10

behavioral27

discovery
Score
3/10

behavioral28

discovery
Score
3/10

behavioral29

discovery
Score
3/10

behavioral30

discovery
Score
3/10

behavioral31

discoveryevasionpersistenceprivilege_escalationspywarestealer
Score
7/10

behavioral32

discoveryevasionpersistenceprivilege_escalationspywarestealer
Score
7/10