Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
updater.exe
-
Size
232KB
-
Sample
240930-xrgr1szhrr
-
MD5
50e5f40aee9ed03617394cda8ecc0f4e
-
SHA1
f79e10da26389e629c0d52ed2a4ad4755c161a1f
-
SHA256
3d454f7a59c5b36847a8a92812bb57202bf77b800d9b4aa1d67f9c28614a5afa
-
SHA512
59988efb8d98297c33d329aa5af1ca8c36a22c68da9bd19b18c16ef75ca2cd2aca02a566e5330f9d6c1f89c466ada25406ad366e2be7447eacfe1324bb226b83
-
SSDEEP
6144:cDubaBBOBIIj6HLLYLCYJqvc1D6L/qfNNHbgESNLspaGr4ZyHOnxFL:9ba5LmLcEUwYGAyHcb
Behavioral task
behavioral1
Sample
updater.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
updater.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6895317243:AAGYnSkZaitamccrc-RF7hCkwovAyRn5CjQ/sendMessage?chat_id=1787677484
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
updater.exe
-
Size
232KB
-
MD5
50e5f40aee9ed03617394cda8ecc0f4e
-
SHA1
f79e10da26389e629c0d52ed2a4ad4755c161a1f
-
SHA256
3d454f7a59c5b36847a8a92812bb57202bf77b800d9b4aa1d67f9c28614a5afa
-
SHA512
59988efb8d98297c33d329aa5af1ca8c36a22c68da9bd19b18c16ef75ca2cd2aca02a566e5330f9d6c1f89c466ada25406ad366e2be7447eacfe1324bb226b83
-
SSDEEP
6144:cDubaBBOBIIj6HLLYLCYJqvc1D6L/qfNNHbgESNLspaGr4ZyHOnxFL:9ba5LmLcEUwYGAyHcb
-
StormKitty payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1