Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    file.exe

  • Size

    327KB

  • Sample

    241003-lxrzdszejg

  • MD5

    1c5c4583fac0f0a8d4d5cce4f09fea4b

  • SHA1

    93cbd37b219bca4782868d1cff6b009f7d83a81f

  • SHA256

    2d63ff4e2c1bde1601315d12ea75a52c90b7e203f8a8e6140ab1da2e0d8a9554

  • SHA512

    98ecba4533f4cf3ab99338783e4899a01b15358113982139f676ee64841ae08a3729660c2f8feaa6789af0926955d1ff3ed694c791effd3370f936ca95d19b11

  • SSDEEP

    6144:PrJ+KUXaXzLZYZEcpbz03Tiaz/5b+hyDt0DfIgL3yUG80dS4Dk+xkAQpA6hh/xJ:PV+KMaXfZYZEcpbID9RL2ss3yN8Z4Qnd

Malware Config

Extracted

Family

stealc

Botnet

default

C2

http://46.8.231.109

Attributes
  • url_path

    /c4754d4f680ead72.php

Targets

    • Target

      file.exe

    • Size

      327KB

    • MD5

      1c5c4583fac0f0a8d4d5cce4f09fea4b

    • SHA1

      93cbd37b219bca4782868d1cff6b009f7d83a81f

    • SHA256

      2d63ff4e2c1bde1601315d12ea75a52c90b7e203f8a8e6140ab1da2e0d8a9554

    • SHA512

      98ecba4533f4cf3ab99338783e4899a01b15358113982139f676ee64841ae08a3729660c2f8feaa6789af0926955d1ff3ed694c791effd3370f936ca95d19b11

    • SSDEEP

      6144:PrJ+KUXaXzLZYZEcpbz03Tiaz/5b+hyDt0DfIgL3yUG80dS4Dk+xkAQpA6hh/xJ:PV+KMaXfZYZEcpbID9RL2ss3yN8Z4Qnd

    • Stealc

      Stealc is an infostealer written in C++.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks