Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

998c8dddf5...57.exe

windows7-x64

10

998c8dddf5...57.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    22/12/2024, 18:00 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    998c8dddf5fc3d73a386669c03ce5a4d371fb1d09983b1828f3ed49598af0b57.exe

  • Size

    2.8MB

  • MD5

    a0956c9f9c719b85668c6f8b85f89a5b

  • SHA1

    031f8c3bf791e31ae9b03286b486b1365b81f745

  • SHA256

    998c8dddf5fc3d73a386669c03ce5a4d371fb1d09983b1828f3ed49598af0b57

  • SHA512

    1ee084ef14a516733ffaedd360b43560bf87e999fc4f2ad9c8d34191f33e6fafde7bd0773cc422f63d664e8b8d994d1884736f70c360927aaef75745323b8474

  • SSDEEP

    24576:LBGJABbey9EKIXUDMPygZalHOiZncFx2J/atbmmPffRv7P8ussEsfEEi3M4rz7Jf:lKABDZIXUI5iuiZ29zmuarfkjpTSyng

Score
10/10
stealcstokdiscoveryevasionstealer

Malware Config

Extracted

Family

stealc

Botnet

stok

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\998c8dddf5fc3d73a386669c03ce5a4d371fb1d09983b1828f3ed49598af0b57.exe
    "C:\Users\Admin\AppData\Local\Temp\998c8dddf5fc3d73a386669c03ce5a4d371fb1d09983b1828f3ed49598af0b57.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2836

Network

  • flag-ru
    GET
    http://185.215.113.206/
    998c8dddf5fc3d73a386669c03ce5a4d371fb1d09983b1828f3ed49598af0b57.exe
    Remote address:
    185.215.113.206:80
    Request
    GET / HTTP/1.1
    Host: 185.215.113.206
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sun, 22 Dec 2024 18:00:47 GMT
    Server: Apache/2.4.41 (Ubuntu)
    Content-Length: 0
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    POST
    http://185.215.113.206/c4becf79229cb002.php
    998c8dddf5fc3d73a386669c03ce5a4d371fb1d09983b1828f3ed49598af0b57.exe
    Remote address:
    185.215.113.206:80
    Request
    POST /c4becf79229cb002.php HTTP/1.1
    Content-Type: multipart/form-data; boundary=----JECAEHJJJKJKFIDGCBGI
    Host: 185.215.113.206
    Content-Length: 211
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sun, 22 Dec 2024 18:00:47 GMT
    Server: Apache/2.4.41 (Ubuntu)
    Content-Length: 8
    Keep-Alive: timeout=5, max=99
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • 185.215.113.206:80
    http://185.215.113.206/c4becf79229cb002.php
    http
    998c8dddf5fc3d73a386669c03ce5a4d371fb1d09983b1828f3ed49598af0b57.exe
    727 B
     625 B
     5
    5

    HTTP Request

    GET http://185.215.113.206/

    HTTP Response

    200

    HTTP Request

    POST http://185.215.113.206/c4becf79229cb002.php

    HTTP Response

    200
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2836-0-0x0000000000DA0000-0x0000000001296000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2836-1-0x00000000773E0000-0x00000000773E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2836-2-0x0000000000DA1000-0x0000000000DB8000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2836-3-0x0000000000DA0000-0x0000000001296000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2836-4-0x0000000000DA0000-0x0000000001296000-memory.dmp

    Filesize

    5.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.