Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/01/2025, 14:22
Behavioral task
behavioral1
Sample
Release/Destiny Stealer.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Release/Destiny Stealer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Release/Stub/DestinyClient.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Release/Stub/DestinyClient.exe
Resource
win10v2004-20241007-en
General
-
Target
Release/Stub/DestinyClient.exe
-
Size
561KB
-
MD5
8479d275176a42d08d06971b2a52c29a
-
SHA1
bcdbbbba81db4b28671e6260dde16497794f6753
-
SHA256
8de9d7149d38b1f0d24e0c7b32cc8951082109681fe034f9eaa0736bbba83436
-
SHA512
ca9de88c03a9780bc28867b1afb3b87b6fc1b12c34ed01bc5e69566cd8d1b9f2632ea7e307cdfd582116cbbefd7ec38b9efc4463a655fcd9891ff74385b72776
-
SSDEEP
6144:MV2YyAgcu3L3mW6f/98yQL7cBWMRxRSqG+H5vPE02U0cgmhv2AkJQLoYVC2bLChb:e2YyAh2cBWmpl76Oir
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral3/memory/2100-1-0x0000000000980000-0x0000000000A12000-memory.dmp family_stormkitty -
Stormkitty family
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ipinfo.io 5 ipinfo.io -
Program crash 1 IoCs
pid pid_target Process procid_target 2032 2100 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DestinyClient.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2100 DestinyClient.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2032 2100 DestinyClient.exe 31 PID 2100 wrote to memory of 2032 2100 DestinyClient.exe 31 PID 2100 wrote to memory of 2032 2100 DestinyClient.exe 31 PID 2100 wrote to memory of 2032 2100 DestinyClient.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Release\Stub\DestinyClient.exe"C:\Users\Admin\AppData\Local\Temp\Release\Stub\DestinyClient.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 10802⤵
- Program crash
PID:2032
-