Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    2025-03-02_42f49da626aa34ca8c21aab20da6a382_frostygoop_golang_luca-stealer_poet-rat_sliver_snatch

  • Size

    19.0MB

  • Sample

    250302-bvq9zazlv7

  • MD5

    42f49da626aa34ca8c21aab20da6a382

  • SHA1

    5362d477c018c15fce8bc8f667b71228e3ad67a2

  • SHA256

    064a7077168cb7b92282465e8eaf2d7d7b86e312bd0d9a30e04f2301d8ede506

  • SHA512

    418bed81b478f235ef7512b5f507b28dd0fcff4a4df388caceaf93340d67e999731a760dc0b82f14d5d5873706c121a0a1a81c4d2677c133da51cb721e9b39e9

  • SSDEEP

    393216:A7ZFuOmpF4JPV6o9f+zXnuJqoCHbXT4/:iFuGJPV6o9mTrG

Malware Config

Targets

    • Target

      2025-03-02_42f49da626aa34ca8c21aab20da6a382_frostygoop_golang_luca-stealer_poet-rat_sliver_snatch

    • Size

      19.0MB

    • MD5

      42f49da626aa34ca8c21aab20da6a382

    • SHA1

      5362d477c018c15fce8bc8f667b71228e3ad67a2

    • SHA256

      064a7077168cb7b92282465e8eaf2d7d7b86e312bd0d9a30e04f2301d8ede506

    • SHA512

      418bed81b478f235ef7512b5f507b28dd0fcff4a4df388caceaf93340d67e999731a760dc0b82f14d5d5873706c121a0a1a81c4d2677c133da51cb721e9b39e9

    • SSDEEP

      393216:A7ZFuOmpF4JPV6o9f+zXnuJqoCHbXT4/:iFuGJPV6o9mTrG

    • Enumerates VirtualBox DLL files

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Identifies Xen via ACPI registry values (likely anti-VM)

    • Looks for Parallels drivers on disk.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VirtualBox drivers on disk

    • Looks for VirtualBox executables on disk

    • Looks for VMWare Tools registry key

    • Looks for VMWare drivers on disk

    • Looks for VMWare services registry key.

    • Looks for Xen service registry key.

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks