Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
1de5f71b2ccfeba54c7e96e768b316d8ad2893f83fab070c504b33c3fb0e8de0
-
Size
675KB
-
Sample
240829-fy2mbsxdml
-
MD5
bc471cd6b303bea21564e98c891e55af
-
SHA1
08ce44b2c5a396a693d725a3e650819738b81cb0
-
SHA256
1de5f71b2ccfeba54c7e96e768b316d8ad2893f83fab070c504b33c3fb0e8de0
-
SHA512
eb56e1ab808681df5e37db172b3019e3f462eecc7e6ea4937b0420df892f21056daec6a0d7805d399d84c83c8b2c6092c27b581dc07db27dc288149c04600f82
-
SSDEEP
12288:OJdhrwoPMY5DWQ0h7FEOLZxXDvXrBVJLvp9GYVdXqX93meKoA4+nvtdF3oV:8twZY5DQDpHBd9nbaxLKoA40w
Static task
static1
Behavioral task
behavioral1
Sample
SMT-SMTLEE.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
SMT-SMTLEE.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.laime.it - Port:
587 - Username:
[email protected] - Password:
Oqc9k0@9 - Email To:
[email protected]
Targets
-
-
Target
SMT-SMTLEE.exe
-
Size
695KB
-
MD5
d86d32a91cd4fbf6b7ef7ee1593333d5
-
SHA1
de006ba907db6b0cdc0b1ffd5ce0dc34575da3f5
-
SHA256
04b2fa83d9f55ff2b689a6f8541cd7529c7c1166bda9be8cc46d5014f41fa1e1
-
SHA512
70d0e8dcebbf6e77280c7b1ccd060386f0e25ec6da58044c32c0d5e9d8ce741bcf7a5bf64cd6af4da2a4498c7a5b88f515f0e90551276eedccb206be76481ded
-
SSDEEP
12288:iVVGEHMe5DzoyMhBf8O/rDtTvLrBVJLvFs0YVQQyoGeKc5g/:0GLe5D6PVdBxsRxyorKcq
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2