Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    FNCheet.zip

  • Size

    8.9MB

  • Sample

    241221-sqetta1rcy

  • MD5

    8bd03a713e1afffbaace59f5bd3bfc8a

  • SHA1

    72b58d2a6ad4f439acdb3190195fe6577004fecd

  • SHA256

    36af0cc23a92c08b0c6d53e92145d2c6786acbd14ec52f7043366887784e34e1

  • SHA512

    355691b93a59ac86a9587ec75c0d05b05eba10092305b612349dca19628dac1f987d34bfce3daeba732e6ee5d7a9596b6d65fdcfedaaff3fe54089d66dff2651

  • SSDEEP

    196608:+Y7I+cFmI1pvQDaRFiKaftiHgiFFbiVTpGHefusZD8cBUdkl45Sulqbn:+II+FI16DaRe8Hg2tibGHQx8cik+jqbn

Malware Config

Targets

    • Target

      READ_ME.txt

    • Size

      163B

    • MD5

      c6bbeec925f83b15c8b1ccf3361ffef0

    • SHA1

      862ed0fac860a271d603bb01ae379e76bdd351c7

    • SHA256

      ffbb28aec76dd4c016e66b6fff83fd96b916a94af2ab6a8b35032c4d279f1805

    • SHA512

      2dea447a3528aa89143df3acd7d72e8a66a185d6e7757ee98cf1daeb43a122654d3ccd47079c087298ab5b2d8a56bec9d66781ef7053a5b9fc3f337d01a94e48

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      voidgui (reworked).exe

    • Size

      9.0MB

    • MD5

      1bcb20142ad3f985537b99358ce2579c

    • SHA1

      8412515b5cd26b4bb7fc93b7efee09e27d102cac

    • SHA256

      235c3b48571ff4ab89ee0cf5751f2eb9ca36a7e92d62d7086cf5425f73337d05

    • SHA512

      40c54e682137ff392fba6528db05b380328f122b22f1c6dba7e62e690acc645d7aef6403803aa1ce5d7ce7c14924225f96b16c6151596f75e9ad964ec038fb43

    • SSDEEP

      196608:1s1CmCT6hHDQw65RWys5PONEqJ7jgb1NaPfXQ+zT2a3GLwD+hAAF05:14CmfhEw65c8NEongnaPRX2aqwiF05

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks