Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17/01/2025, 15:58

General

  • Target

    venome otp BOT/OTP BOT/venome OTP BOT.exe

  • Size

    320KB

  • MD5

    6dd244ddd53c77f55d357aea0f3bc628

  • SHA1

    30d55d00b20777fcc4032c04294f98f3d6ea6bce

  • SHA256

    4a1b68b1e57efca7e9b6eb5dd42f264e6cadb86fce91eda03364bb444eeb7125

  • SHA512

    edb001f6b6c53d7007a63332f16e7f09534cbdd8a2cbc789d9889d4dd8cdb1e1dfea967f0fc03cf1b6e31be2a24fbe08bf9b3b1c2e89631a2a6db49c281b0631

  • SSDEEP

    6144:3m/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvZ:3m/Q6P8j/svm1TXI5tZB

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Stormkitty family
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops desktop.ini file(s) 4 IoCs
  • Looks up external IP address via web service 7 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\venome otp BOT\OTP BOT\venome OTP BOT.exe
    "C:\Users\Admin\AppData\Local\Temp\venome otp BOT\OTP BOT\venome OTP BOT.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • outlook_office_path
    • outlook_win_path
    PID:2972
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2564

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\MXQFNXLT\Browsers\Firefox\Bookmarks.txt

      Filesize

      105B

      MD5

      2e9d094dda5cdc3ce6519f75943a4ff4

      SHA1

      5d989b4ac8b699781681fe75ed9ef98191a5096c

      SHA256

      c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

      SHA512

      d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    • C:\Users\Admin\AppData\Roaming\MXQFNXLT\FileGrabber\Desktop\AddUse.rtf

      Filesize

      184KB

      MD5

      14014d8660dcd0851f5f7db18e2924b2

      SHA1

      b930dd7d388ad4329ecc724ff472e0fc1c0ae650

      SHA256

      43387144c5209fac1376b9d161f0ae0895fc93e9488cba2fc967acd2790f8257

      SHA512

      2747b4c7eafeed7ac6a98e889a6d85196c4262ba024d7c8dc9cd7e1abb3578f866a8365fa52d3c9003d6613ef7e8d4ae37408f38f3cacbc541dcf4111849e056

    • C:\Users\Admin\AppData\Roaming\MXQFNXLT\FileGrabber\Desktop\GrantRestore.rtf

      Filesize

      337KB

      MD5

      5841dd05e5ee398796158db6d8818c6e

      SHA1

      3d155152ee8c4dc2f48056cd8fe3a92571263136

      SHA256

      b431da2f0cbca45e6040d992fb32341aa447b38ce38f10b0a2bfb0f3a329e1ef

      SHA512

      7f33a22bb4f1c82ddfeb9df12facd89ea752d4a8f7745af4d11af5018ccf3d8128b904dfe2a2236782411ca8477c5313674edda4da663a12c8b7005f597e0ae7

    • C:\Users\Admin\AppData\Roaming\MXQFNXLT\FileGrabber\Documents\DebugEdit.pptx

      Filesize

      799KB

      MD5

      f56f1355d902453f4b16244cf6716b53

      SHA1

      5d75bc89b6a302b8b235e0a7fac7a3ae2e22e9f6

      SHA256

      0929297df78446677311bb6a59ee9341a63c5a894cb553e1d714fd0a4c0f4693

      SHA512

      c604e274a614cedcef188dcd8b5991843b7c29c8704886db14d956a15e72a4444d4439922852874c91c4fc29720984a5a17daf002dae85950988afe672545de0

    • C:\Users\Admin\AppData\Roaming\MXQFNXLT\FileGrabber\Documents\GroupLock.xlsx

      Filesize

      496KB

      MD5

      e60d26aa9cb6bce7c74030b3892dc885

      SHA1

      47c6fef6baacedae0ece1a19e8b3da370b0478c8

      SHA256

      53d457988ae4355ca7a8b10ba95b924da96eeaec258c6d06b9e0fb25cf65f956

      SHA512

      69af016bf44f28f7680643912517c3da49fcc7b954f2bbf355cfdc93dc37dc75c7b9471dc8206bada5d5753ca346566b7cd3bc366dbfb591107afbc5589af871

    • C:\Users\Admin\AppData\Roaming\MXQFNXLT\FileGrabber\Pictures\DenyLimit.png

      Filesize

      337KB

      MD5

      b1bddf7983aa3f0c91d8e975af10ffa6

      SHA1

      767e7bd4ee8b41ec635c1f8d7df28ed0ec5364ff

      SHA256

      9a114ac0a456968eb6db5ea70eee5416c7e1ebd277cf2594d0778cfa69d3731f

      SHA512

      9aff8e8641bd0e93c63045bbfafe2aa72a830a9877d9e8c4176cc7067faecb532281550a06db402c4c5d04f446d89666d76f58c993a82c5e34bd87539e8e7160

    • C:\Users\Admin\AppData\Roaming\MXQFNXLT\FileGrabber\Pictures\DismountPing.jpg

      Filesize

      426KB

      MD5

      3e6c3615f4d9a8d8c2ff95c721e4a128

      SHA1

      6e3233cfce0646e14ee9adaca9bc1d5b351ad013

      SHA256

      51f3bf408d95839fbcfa80743a056bc93eb2104f29db23d3d351aa8c358d5ee0

      SHA512

      e14cd9b1d7001bf3371b8aa04dd080d2e91f1e7584878544a429ce2f241487c43d8be7a48e93783afedd16c4b9bb0e2095b67517f0fff60bbe10150efae55eae

    • C:\Users\Admin\AppData\Roaming\MXQFNXLT\FileGrabber\Pictures\GroupRegister.jpeg

      Filesize

      287KB

      MD5

      b0a8e98991fbd44c0fec2aa1c54e7d77

      SHA1

      bf156fdcac03bdb9bc3528707f8686efafcc8111

      SHA256

      ff691a308fdf311cce3e915e01379e7ec9c065010c686eba7bc562ef7fce4409

      SHA512

      2b13ce3070ade7b053ddb4849dfca01cb97d7964dcbca5ead00fb0f6beeae7df48e89cf794e81bf40b819e999e30d8a3f1e86bb05e797f3b931ad5409822e8c0

    • C:\Users\Admin\AppData\Roaming\MXQFNXLT\FileGrabber\Pictures\SelectConfirm.svg

      Filesize

      297KB

      MD5

      cf612520f3bed0d00214fbb53652be1a

      SHA1

      fa908b7209095944d721ea9590a19c095109b4b7

      SHA256

      5dff57936defc6fb00076ef0db5302b649161af1f0400b7d22dcaf516b125cb1

      SHA512

      2ca84aa300a46a62977b11d2e6230a2cb7734d04645848d7ee46ec1a99c6947fc71134b675f218dd32989284eda7d2a995d32e2e78c44474e8bcb55dd8754df9

    • memory/2972-2-0x0000000074B80000-0x000000007526E000-memory.dmp

      Filesize

      6.9MB

    • memory/2972-1-0x0000000000900000-0x0000000000956000-memory.dmp

      Filesize

      344KB

    • memory/2972-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

      Filesize

      4KB

    • memory/2972-154-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

      Filesize

      4KB

    • memory/2972-155-0x0000000074B80000-0x000000007526E000-memory.dmp

      Filesize

      6.9MB

    • memory/2972-178-0x0000000074B80000-0x000000007526E000-memory.dmp

      Filesize

      6.9MB