Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/01/2025, 14:10
Static task
static1
Behavioral task
behavioral1
Sample
AdvegaHack.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
AdvegaHack.exe
Resource
win10v2004-20241007-en
General
-
Target
AdvegaHack.exe
-
Size
7.7MB
-
MD5
5f8d5770292267bca8c17dd1bf4ecdf2
-
SHA1
debdca02009b642fc15e990fcf286838d8d16cf4
-
SHA256
817cd1a400d6133e5959971d975a5cba0f03f403a2eedeeb4004fd48bc6d367b
-
SHA512
fc28ebd0d216efca4dd0d31b60d29ce0c6e253381825e478dcf1bcb7792ee2b9d26ff2317a09247710504cb3f9d9cd15e88e483c59bfd36884788df43f37e10d
-
SSDEEP
98304:hgl47z3Aldea5a/OhtJeq+4NK+dG7M0mWZsE6+YhU+dbkh4yiMP0T:X/wld79ht+j1M0mWZsE6+YASy10T
Malware Config
Extracted
blackguard
https://api.telegram.org/bot6540906397:AAG08fPgT-V7I17vtz49STaZEuwqXqKshuM/sendMessage?chat_id=5445185021
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Blackguard family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AdvegaHack.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation VegaStealer_v2.exe -
Executes dropped EXE 2 IoCs
pid Process 1964 VegaStealer_v2.exe 3948 v2.exe -
Loads dropped DLL 5 IoCs
pid Process 3948 v2.exe 3948 v2.exe 3948 v2.exe 3948 v2.exe 3948 v2.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 ip-api.com 14 freegeoip.app 15 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdvegaHack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VegaStealer_v2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v2.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 v2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier v2.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3948 v2.exe 3948 v2.exe 3948 v2.exe 3948 v2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3948 v2.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3672 wrote to memory of 1964 3672 AdvegaHack.exe 83 PID 3672 wrote to memory of 1964 3672 AdvegaHack.exe 83 PID 3672 wrote to memory of 1964 3672 AdvegaHack.exe 83 PID 1964 wrote to memory of 3948 1964 VegaStealer_v2.exe 84 PID 1964 wrote to memory of 3948 1964 VegaStealer_v2.exe 84 PID 1964 wrote to memory of 3948 1964 VegaStealer_v2.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\AdvegaHack.exe"C:\Users\Admin\AppData\Local\Temp\AdvegaHack.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe"C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\v2.exe"C:\Users\Admin\AppData\Local\Temp\v2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3948
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
571KB
MD5169b6d383b7c650ab3ae2129397a6cf3
SHA1fcaef7defb04301fd55fb1421bb15ef96d7040d6
SHA256b896083feb2bdedc1568b62805dbd354c55e57f2d2469a52aec6c98f4ec2dedf
SHA5127a7a7bdb508b8bf177249251c83b65a2ef4a5d8b29397cab130cb8444b23888678673a9a2e4b1c74cc095b358f923b9e7e5a91bfa8c240412d95765851f1dd87
-
Filesize
1.3MB
MD50a1e95b0b1535203a1b8479dff2c03ff
SHA120c4b4406e8a3b1b35ca739ed59aa07ba867043d
SHA256788d748b4d35dfd091626529457d91e9ebc8225746211086b14fb4a25785a51e
SHA512854abcca8d807a98a9ad0ca5d2e55716c3ce26fae7ee4642796baf415c3cfad522b658963eafe504ecaed6c2ecdcdf332c9b01e43dfa342fcc5ca0fbedfe600e
-
Filesize
410KB
MD5056d3fcaf3b1d32ff25f513621e2a372
SHA1851740bca46bab71d0b1d47e47f3eb8358cbee03
SHA25666b64362664030bff1596cda2ec5bd5df48cc7c8313c32f771db4aa30a3f86f9
SHA512ce47c581538f48a46d70279a62c702195beacbfafb48a5a862b3922625fe56f6887d1679c6d9366f946d3d2124cb31c2a3eacbbd14d601ea56e66575cdf46180
-
Filesize
7.7MB
MD59f4f298bcf1d208bd3ce3907cfb28480
SHA105c1cfde951306f8c6e9d484d3d88698c4419c62
SHA256bf7057293d871cac087daab42daf22c1737a1df6adc7b7963989658f3b65f4cc
SHA5124c763c3b6d4884f77083db5ccada59bc57803b3226294eff2ec3db8f2121ac01ee240b0e822cb090f5320ce40df545b477e323efabdbca31722731adc4b46806
-
Filesize
271KB
MD53f62213d184b639a0a62bcb1e65370a8
SHA1bbf50b3c683550684cdb345d348e98fbe2fcafe0
SHA256c692dfc29e70a17cabc19561e8e2662e1fe32fdba998a09fe1a8dc2b7e045b34
SHA5120cd40d714e6a6ebd60cc0c8b0e339905a5f1198a474a531b1794fb562f27053f118718cc68b9652fef3411906f9d8ad22d0253af256fa1922133e9907298e803
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
740B
MD52019fb59f9befa56812de8c1c29d0870
SHA1fe51db55fbc327aefe57bb848ad61261988e50ee
SHA2564d0321480054e0459430075cd717e6fa412b74c014b2a78b728ed49113c93700
SHA512f1cc77cfe115579810b32a079de1a43a4ebd818258b337a4445a6a0d7fc2905780d11d0115132d6406d3bd8d131ef7273dfa6cd741efe9575061ef62f05aa243
-
Filesize
1KB
MD5b7145206912c3d87950e12f11c2e93c5
SHA1db30b4fbdb2aa8f07d69674b08a0f8b3843e7c27
SHA256ecc7da0dc3f8cd4615906c1728deb7f4a54576c332f7be7d19122948098a63db
SHA5123037d8394b8032b48fbf30bfdf73011399a61f79e80b758874754bf1c11ae11a4b4f16715b471bee17cf03ba8f7514c5eecc55862ec76663296c54002707da16