Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Nonagon.exe
-
Size
23KB
-
Sample
250320-ne7cgavpt2
-
MD5
1b554731ea6b94e44ab6fe7ec45eb153
-
SHA1
1849707450548f79b4f8d941745c2c72199a7f00
-
SHA256
f679075808adffca9a26ade94cc8494ccc500333e8613708e9ba077d88d92a70
-
SHA512
96880df0242f41380e2877a3cac119e14ab062c4892040a3d8c9fe5fbc58ee6681729d1a1ca5c62427d4ad5ca76be1167d8811e9b4c35656e0c1000d660c06c1
-
SSDEEP
384:LD5Ry1Yg5MsZHalPXhZAiWGVDNr2mtbQ2E65wMxsWSjRSiKM3EMtR:zymgSCh2Ey/GWSjRSiKM3Nt
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7940307483:AAEmmDBRKx8kRMTrlD986B7qCulYd2jfQHw/sendDocument
Extracted
gurcu
https://api.telegram.org/bot7940307483:AAEmmDBRKx8kRMTrlD986B7qCulYd2jfQHw/sendDocumen
Targets
-
-
Target
Nonagon.exe
-
Size
23KB
-
MD5
1b554731ea6b94e44ab6fe7ec45eb153
-
SHA1
1849707450548f79b4f8d941745c2c72199a7f00
-
SHA256
f679075808adffca9a26ade94cc8494ccc500333e8613708e9ba077d88d92a70
-
SHA512
96880df0242f41380e2877a3cac119e14ab062c4892040a3d8c9fe5fbc58ee6681729d1a1ca5c62427d4ad5ca76be1167d8811e9b4c35656e0c1000d660c06c1
-
SSDEEP
384:LD5Ry1Yg5MsZHalPXhZAiWGVDNr2mtbQ2E65wMxsWSjRSiKM3EMtR:zymgSCh2Ey/GWSjRSiKM3Nt
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Detect Umbral payload
-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Downloads MZ/PE file
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Authentication Process
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
3Credentials In Files
3