Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
remittance copy-25.09.2024.rar
-
Size
637KB
-
Sample
240925-rej4qayhrj
-
MD5
834d6a356e835041a6ccb07bf304f730
-
SHA1
95f85e1b28200677061c25c270b0955275912ea8
-
SHA256
e9bdf327ee8be4ca9aaa932d888c1f5223a2b36b0147d574a0f3779376a22fd8
-
SHA512
32afe12f3de68903d3eef0488da7d591bcb5fd9c18f5bb0eac5ef2f85e436a1a62fe8dd704db59e418ebedccace4c72e7124f0b11406ca635d425c630441f028
-
SSDEEP
12288:CuC7ftdvAFmZK+88IYJwMkQGXvHVELjj6/Kuz4wIxDNrq/EpxwZwJfn8:CumdIFmSckQu/VijjRHHVqcxhJf8
Static task
static1
Behavioral task
behavioral1
Sample
remittance copy-25.09.2024.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
remittance copy-25.09.2024.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
QvGP%z%2
Extracted
vipkeylogger
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
QvGP%z%2 - Email To:
[email protected]
Targets
-
-
Target
remittance copy-25.09.2024.exe
-
Size
688KB
-
MD5
3b7c235252eba27cf163fb80869be68f
-
SHA1
e61803468d6f6f996d9f5d9c75d34ab602c7bae4
-
SHA256
ceca739302bb3267a12223a60ea0e703e138a87c8833467f1ae6e009eeefb82a
-
SHA512
13986f599a53c688c81f5c9f148ed59580b4f8d0afbfa9f7524c0ed31628d4c50d1957c7728c31fdbaef51ecf58633387c7cd8f48eb1e27bc110b1d13602a9c4
-
SSDEEP
12288:J1kp8KicyholayCODKfSIGdou0EiVdK+SoxPPMWBE2dvVVMFgNEFcm0eG9A8bQb:m8tcSolabaKfSI7yi3K+So9vB9tVM2Pk
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2