Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

AngelTokenGen.zip

windows11-21h2-x64

1

AngelTokenGen.exe

windows11-21h2-x64

8

load.pyc

windows11-21h2-x64

3

avatars/logo.png

windows11-21h2-x64

bio.txt

windows11-21h2-x64

3

settings.ini

windows11-21h2-x64

3

usernames.txt

windows11-21h2-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    AngelTokenGen.zip

  • Size

    38.1MB

  • Sample

    250328-ck6scasqt6

  • MD5

    0e77645241c0250a3e11106fe6f79dc2

  • SHA1

    b4cf8559f5f3a6c3392558e96fd1a3459d75baa5

  • SHA256

    95d2103d1135e79fc4bd7944ad9c326d0ec9359f9e2ecb9d4965ac96268142c9

  • SHA512

    f3f9ec31af1b4132b5ce9311f7b79ed426ed1fadfd804cb809aa84557585b0a6e68245796f30d0b08068922e277727f32111d13a5b7d701cfba7296dbfa3757f

  • SSDEEP

    786432:3bLJLxz2myZFHTPZwJP9mN5a+Iuy5Tt2vIBu+iJy2lKkVKG:ZdilZSPskb5TgABdiU+pwG

Score
8/10
credential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationpyinstallerspywarestealer

Malware Config

Targets

    • Target

      AngelTokenGen.zip

    • Size

      38.1MB

    • MD5

      0e77645241c0250a3e11106fe6f79dc2

    • SHA1

      b4cf8559f5f3a6c3392558e96fd1a3459d75baa5

    • SHA256

      95d2103d1135e79fc4bd7944ad9c326d0ec9359f9e2ecb9d4965ac96268142c9

    • SHA512

      f3f9ec31af1b4132b5ce9311f7b79ed426ed1fadfd804cb809aa84557585b0a6e68245796f30d0b08068922e277727f32111d13a5b7d701cfba7296dbfa3757f

    • SSDEEP

      786432:3bLJLxz2myZFHTPZwJP9mN5a+Iuy5Tt2vIBu+iJy2lKkVKG:ZdilZSPskb5TgABdiU+pwG

    Score
    1/10
    behavioral1

    • Target

      AngelTokenGen.exe

    • Size

      38.5MB

    • MD5

      aa97d3815027f5d8c624f9e86f7e2afa

    • SHA1

      8d518b5e5472371f301777839939e5b0880736b6

    • SHA256

      d9d78168039c7df2320493ac5cb03e6f94a18e92c6230e8371c409eab922ed76

    • SHA512

      bb205dd500c8ddb197a424fa235ccb4b58849ff4c52b5f1b1a1ae877cf7f0a31cb9cbc443159f087312a8b0212a2845fc439bd93886f7feb78fe56a62c22c109

    • SSDEEP

      786432:++gX4BMdhwzTQXR5FbPp6FcSS5U/LT2KzVyPVLBd+yCsKbXMb8wsqAU8A:cXGMK4XR3bLSCU/+6yPl3+KAcMqAU

    Score
    8/10
    credential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealer

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      defense_evasion

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads ssh keys stored on the system

      Tries to access SSH used by SSH programs.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Enumerates processes with tasklist

      discovery
    behavioral2

    • Target

      load.pyc

    • Size

      342B

    • MD5

      ecdaee8b92aeb51a57019a1c038e0f1f

    • SHA1

      f9eddcab241df9b56d908109107e93e535351525

    • SHA256

      e0c8c9516b17514b72d0490009e792c855e288b0ae73438bc7916ad2ef9fb2cd

    • SHA512

      b1afacdd9f79cd3009c3e91440d9d378fe74c1f446907482385d84cf74939a4d3f852e3e7d4f2f98cc6d62b86c25b0cb77e8bcb8c587b8cd0299ad00cac3a5b6

    Score
    3/10
    behavioral3

    • Target

      avatars/logo.png

    • Size

      2KB

    • MD5

      7f32b781cac5cc74e22089fa5171d20e

    • SHA1

      ba983803344c3decf38c3bfe50bbee8d0dbbdce5

    • SHA256

      b56b8c651ad8c35811c6f5b4255876b5f7bd7a1d66d2b68bcb8b3c9d8c0c61dd

    • SHA512

      72fc28d6a931b6dc84b126c0e232925b9e595886769d08a6ac077ae9f6065fb636c00d712851e3f27410eb22d1407faf9beef8a1ebb8c4f6a9dd86993f04a313

    Score
    1/10
    behavioral4

    • Target

      bio.txt

    • Size

      13B

    • MD5

      2c619df4be5ccd77df86bdea5c86f36c

    • SHA1

      cea03047f4e14585cdc1bf18d5f375aa83736e3c

    • SHA256

      eb5dae484989b8192dec17c9527209e4a48ef7b42e05353d4df4e9f76cb8e54b

    • SHA512

      dd16025b6b4f8324c87bb4d47b0774fe1d9daac52b55d58c49a3064427192f932756e9e50c58ee48f70d9ec1c375353d5f3063b7cd0d35fda93b28668a09b713

    Score
    3/10
    behavioral5

    • Target

      settings.ini

    • Size

      309B

    • MD5

      9df68ef726c9186e17775d2b73cde398

    • SHA1

      c56c3e41cc14248129c9ce2409505e8106a41246

    • SHA256

      8d19f7fd9db172c351ccb24fc931e72c00b09ae3ad8e95cdf8bd42dcbe35bf98

    • SHA512

      e6997cca3d344448ce9774b367fb95cc300d5fbd6a21c3d74906dc8a5cca81387bdc655893fd5cf26a1705a007b9c66ad4fa548470cca64280b96b587b040642

    Score
    3/10
    behavioral6

    • Target

      usernames.txt

    • Size

      69B

    • MD5

      4e59b03d288a3b402cbd62e80ef512b4

    • SHA1

      dc90b0a000dc25b372811a61007586d780e5bd2a

    • SHA256

      17a5ee87ec6af6345ae91046c6be2c22f7c9513148b996c41e0382e457b3c6ff

    • SHA512

      34ece4de0a004cf74c629163a1a83dcbae9f000c6dc4814cf2564c09b11806ac8ea4ba0ee85cff60f8e54fea7f1ee8bc3df387a1db4788861b0d3d93732f8a5f

    Score
    3/10
    behavioral7

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Modify Authentication Process

1
T1556

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

1
T1564

Ignore Process Interrupts

1
T1564.011

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Authentication Process

1
T1556

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

3
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

3
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks