Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10BlitzedGra...in.zip
windows7-x64
1BlitzedGra...in.zip
windows10-2004-x64
1BlitzedGra...12.exe
windows7-x64
10BlitzedGra...12.exe
windows10-2004-x64
10BlitzedGra...xe.xml
windows7-x64
3BlitzedGra...xe.xml
windows10-2004-x64
1BlitzedGra...OR.dll
windows7-x64
1BlitzedGra...OR.dll
windows10-2004-x64
1BlitzedGra...to.dll
windows7-x64
1BlitzedGra...to.dll
windows10-2004-x64
BlitzedGra...on.dll
windows7-x64
1BlitzedGra...on.dll
windows10-2004-x64
1BlitzedGra...le.exe
windows7-x64
3BlitzedGra...le.exe
windows10-2004-x64
3Resubmissions
21/09/2024, 14:38
240921-rzwcgsxcke 10Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 14:38
Behavioral task
behavioral1
Sample
BlitzedGrabberV12-main.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
BlitzedGrabberV12-main.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
BlitzedGrabberV12-main/BlitzedGrabberV12.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
BlitzedGrabberV12-main/BlitzedGrabberV12.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
BlitzedGrabberV12-main/BlitzedGrabberV12.exe.xml
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
BlitzedGrabberV12-main/BlitzedGrabberV12.exe.xml
Resource
win10v2004-20240910-en
Behavioral task
behavioral7
Sample
BlitzedGrabberV12-main/resources/APIFOR.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
BlitzedGrabberV12-main/resources/APIFOR.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
BlitzedGrabberV12-main/resources/BouncyCastle.Crypto.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
BlitzedGrabberV12-main/resources/BouncyCastle.Crypto.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
BlitzedGrabberV12-main/resources/Newtonsoft.Json.dll
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
BlitzedGrabberV12-main/resources/Newtonsoft.Json.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
BlitzedGrabberV12-main/resources/UltraEmbeddable.exe
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
BlitzedGrabberV12-main/resources/UltraEmbeddable.exe
Resource
win10v2004-20240802-en
General
-
Target
BlitzedGrabberV12-main/BlitzedGrabberV12.exe
-
Size
1.3MB
-
MD5
50ab1ba628233eacd9df1f88b691e32f
-
SHA1
a57c3265a98c1ab252b5311da8c176cad99c71fb
-
SHA256
cffee64da9161e6771e6e40552c378586beed6cf8c8729e21a193cbef9227f41
-
SHA512
f3ef38967f116b7d8dbc29ce30b44dba9a0f74f72eddcdb8c3e957432a50e40069565a6d5a2e25f0e5502f81a96f84ddc36f53154247c6638c1f10ee0eb956bd
-
SSDEEP
24576:uSONXaV9x4IUgs36BUI2So5+jnzFoCaGApu8SO00rI:u70T+Sk6BU7HIFo7G98SOFE
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral3/memory/2332-1-0x0000000001330000-0x0000000001480000-memory.dmp family_stormkitty -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 9 discord.com 10 discord.com 11 discord.com 7 discord.com 8 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 1824 cmd.exe 2000 netsh.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2332 BlitzedGrabberV12.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2332 wrote to memory of 1824 2332 BlitzedGrabberV12.exe 30 PID 2332 wrote to memory of 1824 2332 BlitzedGrabberV12.exe 30 PID 2332 wrote to memory of 1824 2332 BlitzedGrabberV12.exe 30 PID 1824 wrote to memory of 2812 1824 cmd.exe 32 PID 1824 wrote to memory of 2812 1824 cmd.exe 32 PID 1824 wrote to memory of 2812 1824 cmd.exe 32 PID 1824 wrote to memory of 2000 1824 cmd.exe 33 PID 1824 wrote to memory of 2000 1824 cmd.exe 33 PID 1824 wrote to memory of 2000 1824 cmd.exe 33 PID 1824 wrote to memory of 2552 1824 cmd.exe 34 PID 1824 wrote to memory of 2552 1824 cmd.exe 34 PID 1824 wrote to memory of 2552 1824 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12.exe"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2812
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:2000
-
-
C:\Windows\system32\findstr.exefindstr All3⤵PID:2552
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD568b329da9893e34099c7d8ad5cb9c940
SHA1adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA25601ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09