Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

27/10/2024, 22:02

241027-1x98astdjg 10

27/10/2024, 22:01

241027-1xdjbstcqf 1

General

  • Target

    R6 Script.rar

  • Size

    111KB

  • Sample

    241027-1x98astdjg

  • MD5

    064db67a423e95cf104cf0cbd949f97f

  • SHA1

    c94d4ad7d69c14f783db28448657d5a3e8e75c44

  • SHA256

    9996b7ab1211684a1d7e32ba542db3332a8fdcef65d2c3e2cc03ff05062cfdd4

  • SHA512

    8cb49e6872cfefa1926d848716cf6a70ac734914e8d55c2b22ea766929b835b5ae841b78944c4c95ff4c03ca04a4180313cc2e5fdf7b7d97ab215511f01c6c1e

  • SSDEEP

    1536:8kHBBKJHJXYxchWFWw0Jtrci5f9a0Svdv40nocUyufW0yklTGRSpRJTHomGUbFeZ:G+yhsgIcfdSVv4yK3XyksRKwmPeZ

Malware Config

Extracted

Family

stealc

Botnet

game

C2

https://t.me/gygqrajjsa

Attributes
  • url_path

    /383ccd496f3c5eee.php

Targets

    • Target

      R6 Script.rar

    • Size

      111KB

    • MD5

      064db67a423e95cf104cf0cbd949f97f

    • SHA1

      c94d4ad7d69c14f783db28448657d5a3e8e75c44

    • SHA256

      9996b7ab1211684a1d7e32ba542db3332a8fdcef65d2c3e2cc03ff05062cfdd4

    • SHA512

      8cb49e6872cfefa1926d848716cf6a70ac734914e8d55c2b22ea766929b835b5ae841b78944c4c95ff4c03ca04a4180313cc2e5fdf7b7d97ab215511f01c6c1e

    • SSDEEP

      1536:8kHBBKJHJXYxchWFWw0Jtrci5f9a0Svdv40nocUyufW0yklTGRSpRJTHomGUbFeZ:G+yhsgIcfdSVv4yK3XyksRKwmPeZ

    • Stealc

      Stealc is an infostealer written in C++.

    • Stealc family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks