Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Payment copy.exe

  • Size

    948KB

  • Sample

    231006-qt4k8sea99

  • MD5

    b7a6ca258cb780f735090ba00802cd12

  • SHA1

    9e3bfd9d546dee99434e7f228e96c8ea4179f579

  • SHA256

    649cbde56fbdaf2f52343c1c584fbe1357cf4be19264d7f31a21a6c7078ecf18

  • SHA512

    d82ac12df4447ba4548ac3c208ce47695445573c162ceb209a91df9b2cf29297fb0855f77f345272aba0c3d327bd7efe1d3f1e03043299c3bc6159ea9cde8a3a

  • SSDEEP

    12288:qotzb+w6dJ1Nyeo+T5Qfssbe+SvpqnvGj7jlKUo7FrpHl7s9edPJi08ygYeEp:PtH+L9Xoe5/2SRqvGjbovl7s9eD

Score
10/10

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    premium184.web-hosting.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ^HPUm$4%eL~b

Targets

    • Target

      Payment copy.exe

    • Size

      948KB

    • MD5

      b7a6ca258cb780f735090ba00802cd12

    • SHA1

      9e3bfd9d546dee99434e7f228e96c8ea4179f579

    • SHA256

      649cbde56fbdaf2f52343c1c584fbe1357cf4be19264d7f31a21a6c7078ecf18

    • SHA512

      d82ac12df4447ba4548ac3c208ce47695445573c162ceb209a91df9b2cf29297fb0855f77f345272aba0c3d327bd7efe1d3f1e03043299c3bc6159ea9cde8a3a

    • SSDEEP

      12288:qotzb+w6dJ1Nyeo+T5Qfssbe+SvpqnvGj7jlKUo7FrpHl7s9edPJi08ygYeEp:PtH+L9Xoe5/2SRqvGjbovl7s9eD

    Score
    10/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks