Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/01/2025, 14:04
Static task
static1
Behavioral task
behavioral1
Sample
AdvegaHack.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
AdvegaHack.exe
Resource
win10v2004-20241007-en
General
-
Target
AdvegaHack.exe
-
Size
7.7MB
-
MD5
5f8d5770292267bca8c17dd1bf4ecdf2
-
SHA1
debdca02009b642fc15e990fcf286838d8d16cf4
-
SHA256
817cd1a400d6133e5959971d975a5cba0f03f403a2eedeeb4004fd48bc6d367b
-
SHA512
fc28ebd0d216efca4dd0d31b60d29ce0c6e253381825e478dcf1bcb7792ee2b9d26ff2317a09247710504cb3f9d9cd15e88e483c59bfd36884788df43f37e10d
-
SSDEEP
98304:hgl47z3Aldea5a/OhtJeq+4NK+dG7M0mWZsE6+YhU+dbkh4yiMP0T:X/wld79ht+j1M0mWZsE6+YASy10T
Malware Config
Extracted
blackguard
https://api.telegram.org/bot6540906397:AAG08fPgT-V7I17vtz49STaZEuwqXqKshuM/sendMessage?chat_id=5445185021
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Blackguard family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation AdvegaHack.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation VegaStealer_v2.exe -
Executes dropped EXE 2 IoCs
pid Process 3984 VegaStealer_v2.exe 4732 v2.exe -
Loads dropped DLL 5 IoCs
pid Process 4732 v2.exe 4732 v2.exe 4732 v2.exe 4732 v2.exe 4732 v2.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 freegeoip.app 16 freegeoip.app 21 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdvegaHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VegaStealer_v2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v2.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 v2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier v2.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4732 v2.exe 4732 v2.exe 4732 v2.exe 4732 v2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4732 v2.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 464 wrote to memory of 3984 464 AdvegaHack.exe 83 PID 464 wrote to memory of 3984 464 AdvegaHack.exe 83 PID 464 wrote to memory of 3984 464 AdvegaHack.exe 83 PID 3984 wrote to memory of 4732 3984 VegaStealer_v2.exe 84 PID 3984 wrote to memory of 4732 3984 VegaStealer_v2.exe 84 PID 3984 wrote to memory of 4732 3984 VegaStealer_v2.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\AdvegaHack.exe"C:\Users\Admin\AppData\Local\Temp\AdvegaHack.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe"C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\v2.exe"C:\Users\Admin\AppData\Local\Temp\v2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
571KB
MD5169b6d383b7c650ab3ae2129397a6cf3
SHA1fcaef7defb04301fd55fb1421bb15ef96d7040d6
SHA256b896083feb2bdedc1568b62805dbd354c55e57f2d2469a52aec6c98f4ec2dedf
SHA5127a7a7bdb508b8bf177249251c83b65a2ef4a5d8b29397cab130cb8444b23888678673a9a2e4b1c74cc095b358f923b9e7e5a91bfa8c240412d95765851f1dd87
-
Filesize
1.3MB
MD50a1e95b0b1535203a1b8479dff2c03ff
SHA120c4b4406e8a3b1b35ca739ed59aa07ba867043d
SHA256788d748b4d35dfd091626529457d91e9ebc8225746211086b14fb4a25785a51e
SHA512854abcca8d807a98a9ad0ca5d2e55716c3ce26fae7ee4642796baf415c3cfad522b658963eafe504ecaed6c2ecdcdf332c9b01e43dfa342fcc5ca0fbedfe600e
-
Filesize
410KB
MD5056d3fcaf3b1d32ff25f513621e2a372
SHA1851740bca46bab71d0b1d47e47f3eb8358cbee03
SHA25666b64362664030bff1596cda2ec5bd5df48cc7c8313c32f771db4aa30a3f86f9
SHA512ce47c581538f48a46d70279a62c702195beacbfafb48a5a862b3922625fe56f6887d1679c6d9366f946d3d2124cb31c2a3eacbbd14d601ea56e66575cdf46180
-
Filesize
7.7MB
MD59f4f298bcf1d208bd3ce3907cfb28480
SHA105c1cfde951306f8c6e9d484d3d88698c4419c62
SHA256bf7057293d871cac087daab42daf22c1737a1df6adc7b7963989658f3b65f4cc
SHA5124c763c3b6d4884f77083db5ccada59bc57803b3226294eff2ec3db8f2121ac01ee240b0e822cb090f5320ce40df545b477e323efabdbca31722731adc4b46806
-
Filesize
271KB
MD53f62213d184b639a0a62bcb1e65370a8
SHA1bbf50b3c683550684cdb345d348e98fbe2fcafe0
SHA256c692dfc29e70a17cabc19561e8e2662e1fe32fdba998a09fe1a8dc2b7e045b34
SHA5120cd40d714e6a6ebd60cc0c8b0e339905a5f1198a474a531b1794fb562f27053f118718cc68b9652fef3411906f9d8ad22d0253af256fa1922133e9907298e803
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
740B
MD561a7d119a24df2e19337cf64f4b4503e
SHA14a13370a8f96e8003235e1eceaf9a1a918a04ce8
SHA256b79b1faef04868a70835fb46cac0d96ccb2e45bcd495eb827ae678210a3ee308
SHA5122182de07b7a91fc83b9059939555b2cb0e783c5c6353aebf480e17b403be9c332cf4e1ee090b01bebbd1781cd1133c15916d5dc93752e1171dda2ab7ff32a5d8
-
Filesize
1KB
MD56b01c8e5b3519282449db8315820af52
SHA154411db25bb5c969e386558cb8ea5c200ee2bf2d
SHA25630aee9c70aafb996eebd4b9cf635117925abbc1c9fa9b55da83fce1380bc01a5
SHA51218a319d5478365c9c16319bb43869fdf2df2198fa33cba9f1161ef166930bf91360361f86c9e9a53822bcb3c44f55a909ef79706d4e5b3b81760c119832ac812