Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    New Quotation.7z

  • Size

    529KB

  • Sample

    230130-tmc2gsba55

  • MD5

    534cb6d1c5084250caf5239d8e05db7a

  • SHA1

    ef0b0b2a5d3ad30ca6e5bf615befb25c96a65a2a

  • SHA256

    497684ceabf5da3ee11efa2a7879022e8d23b4930428d32518ba8c884a1801ab

  • SHA512

    31de7d47bdcbb97b68ee42cf210fadcc786ce037506b8773e50be94034bbe5845d6d3c31117eb26e46f472d8785b0cdf5f1a6962a83b5c71395766faaf5f51f0

  • SSDEEP

    12288:XXYCXcbNBnvB8UW5KgEot1aqAITTu2qiljwlBXj4d+kkzRv:nYGcDvB8B5dztIq9TT9pABXj4d+5lv

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.unrc.ir
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Basiri@1334

Targets

    • Target

      New Quotation.exe

    • Size

      735KB

    • MD5

      8dd1e01db55e06e3375a55cee3193009

    • SHA1

      898dc231d09beb2abc5de9202f23edd80c20be10

    • SHA256

      fe867d208300886903bd50f715079f84291b6930c8b2aef827219b9689991f4f

    • SHA512

      f5d64e51ac6b61ff62eb31724300a0d0cb260e6485f13d1c6fd6f10b6d8bfa80ac5b6a82f1d341e5200adf5048bd50e974bcb8aa73a8b707822384f2018628ce

    • SSDEEP

      12288:1wFkvEsa40+w0DtzsROLdrClNDndaIuxAe/CE1OOGOO/OOUYvY89QY6vTNUW5KgS:iUE4zsYxcNDndNuxAe/CEREYPvTNB5dS

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks