Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10venome otp...ip.dll
windows7-x64
1venome otp...ip.dll
windows10-2004-x64
1venome otp...ol.dll
windows7-x64
1venome otp...ol.dll
windows10-2004-x64
1venome otp...ET.dll
windows7-x64
1venome otp...ET.dll
windows10-2004-x64
1venome otp...on.dll
windows7-x64
1venome otp...on.dll
windows10-2004-x64
1venome otp...te.dll
windows7-x64
1venome otp...te.dll
windows10-2004-x64
1venome otp...on.dll
windows7-x64
3venome otp...on.dll
windows10-2004-x64
3venome otp...ds.dll
windows7-x64
1venome otp...ds.dll
windows10-2004-x64
1venome otp...OT.exe
windows7-x64
10venome otp...OT.exe
windows10-2004-x64
10venome otp...et.dll
windows7-x64
1venome otp...et.dll
windows10-2004-x64
1Analysis
-
max time kernel
121s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/01/2025, 15:58
Behavioral task
behavioral1
Sample
venome otp BOT/OTP BOT/DotNetZip.dll
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
venome otp BOT/OTP BOT/DotNetZip.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
venome otp BOT/OTP BOT/HandyControl.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
venome otp BOT/OTP BOT/HandyControl.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
venome otp BOT/OTP BOT/MailBee.NET.dll
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
venome otp BOT/OTP BOT/MailBee.NET.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
venome otp BOT/OTP BOT/Newtonsoft.Json.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
venome otp BOT/OTP BOT/Newtonsoft.Json.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
venome otp BOT/OTP BOT/System.Data.SQLite.dll
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
venome otp BOT/OTP BOT/System.Data.SQLite.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
venome otp BOT/OTP BOT/System.Windows.Controls.Ribbon.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
venome otp BOT/OTP BOT/System.Windows.Controls.Ribbon.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
venome otp BOT/OTP BOT/ToolGood.Words.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
venome otp BOT/OTP BOT/ToolGood.Words.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
venome otp BOT/OTP BOT/venome OTP BOT.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
venome otp BOT/OTP BOT/venome OTP BOT.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
venome otp BOT/OTP BOT/xNet.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
venome otp BOT/OTP BOT/xNet.dll
Resource
win10v2004-20241007-en
General
-
Target
venome otp BOT/OTP BOT/venome OTP BOT.exe
-
Size
320KB
-
MD5
6dd244ddd53c77f55d357aea0f3bc628
-
SHA1
30d55d00b20777fcc4032c04294f98f3d6ea6bce
-
SHA256
4a1b68b1e57efca7e9b6eb5dd42f264e6cadb86fce91eda03364bb444eeb7125
-
SHA512
edb001f6b6c53d7007a63332f16e7f09534cbdd8a2cbc789d9889d4dd8cdb1e1dfea967f0fc03cf1b6e31be2a24fbe08bf9b3b1c2e89631a2a6db49c281b0631
-
SSDEEP
6144:3m/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvZ:3m/Q6P8j/svm1TXI5tZB
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral15/memory/2972-1-0x0000000000900000-0x0000000000956000-memory.dmp family_stormkitty -
Stormkitty family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 venome OTP BOT.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 venome OTP BOT.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 venome OTP BOT.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\MXQFNXLT\FileGrabber\Desktop\desktop.ini venome OTP BOT.exe File created C:\Users\Admin\AppData\Roaming\MXQFNXLT\FileGrabber\Documents\desktop.ini venome OTP BOT.exe File created C:\Users\Admin\AppData\Roaming\MXQFNXLT\FileGrabber\Downloads\desktop.ini venome OTP BOT.exe File created C:\Users\Admin\AppData\Roaming\MXQFNXLT\FileGrabber\Pictures\desktop.ini venome OTP BOT.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 api.ipify.org 20 ip-api.com 22 api.ipify.org 23 api.ipify.org 4 freegeoip.app 8 freegeoip.app 18 api.ipify.org -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language venome OTP BOT.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 venome OTP BOT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier venome OTP BOT.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2972 venome OTP BOT.exe 2972 venome OTP BOT.exe 2972 venome OTP BOT.exe 2972 venome OTP BOT.exe 2972 venome OTP BOT.exe 2972 venome OTP BOT.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2972 venome OTP BOT.exe -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 venome OTP BOT.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 venome OTP BOT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\venome otp BOT\OTP BOT\venome OTP BOT.exe"C:\Users\Admin\AppData\Local\Temp\venome otp BOT\OTP BOT\venome OTP BOT.exe"1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2972
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2564
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
184KB
MD514014d8660dcd0851f5f7db18e2924b2
SHA1b930dd7d388ad4329ecc724ff472e0fc1c0ae650
SHA25643387144c5209fac1376b9d161f0ae0895fc93e9488cba2fc967acd2790f8257
SHA5122747b4c7eafeed7ac6a98e889a6d85196c4262ba024d7c8dc9cd7e1abb3578f866a8365fa52d3c9003d6613ef7e8d4ae37408f38f3cacbc541dcf4111849e056
-
Filesize
337KB
MD55841dd05e5ee398796158db6d8818c6e
SHA13d155152ee8c4dc2f48056cd8fe3a92571263136
SHA256b431da2f0cbca45e6040d992fb32341aa447b38ce38f10b0a2bfb0f3a329e1ef
SHA5127f33a22bb4f1c82ddfeb9df12facd89ea752d4a8f7745af4d11af5018ccf3d8128b904dfe2a2236782411ca8477c5313674edda4da663a12c8b7005f597e0ae7
-
Filesize
799KB
MD5f56f1355d902453f4b16244cf6716b53
SHA15d75bc89b6a302b8b235e0a7fac7a3ae2e22e9f6
SHA2560929297df78446677311bb6a59ee9341a63c5a894cb553e1d714fd0a4c0f4693
SHA512c604e274a614cedcef188dcd8b5991843b7c29c8704886db14d956a15e72a4444d4439922852874c91c4fc29720984a5a17daf002dae85950988afe672545de0
-
Filesize
496KB
MD5e60d26aa9cb6bce7c74030b3892dc885
SHA147c6fef6baacedae0ece1a19e8b3da370b0478c8
SHA25653d457988ae4355ca7a8b10ba95b924da96eeaec258c6d06b9e0fb25cf65f956
SHA51269af016bf44f28f7680643912517c3da49fcc7b954f2bbf355cfdc93dc37dc75c7b9471dc8206bada5d5753ca346566b7cd3bc366dbfb591107afbc5589af871
-
Filesize
337KB
MD5b1bddf7983aa3f0c91d8e975af10ffa6
SHA1767e7bd4ee8b41ec635c1f8d7df28ed0ec5364ff
SHA2569a114ac0a456968eb6db5ea70eee5416c7e1ebd277cf2594d0778cfa69d3731f
SHA5129aff8e8641bd0e93c63045bbfafe2aa72a830a9877d9e8c4176cc7067faecb532281550a06db402c4c5d04f446d89666d76f58c993a82c5e34bd87539e8e7160
-
Filesize
426KB
MD53e6c3615f4d9a8d8c2ff95c721e4a128
SHA16e3233cfce0646e14ee9adaca9bc1d5b351ad013
SHA25651f3bf408d95839fbcfa80743a056bc93eb2104f29db23d3d351aa8c358d5ee0
SHA512e14cd9b1d7001bf3371b8aa04dd080d2e91f1e7584878544a429ce2f241487c43d8be7a48e93783afedd16c4b9bb0e2095b67517f0fff60bbe10150efae55eae
-
Filesize
287KB
MD5b0a8e98991fbd44c0fec2aa1c54e7d77
SHA1bf156fdcac03bdb9bc3528707f8686efafcc8111
SHA256ff691a308fdf311cce3e915e01379e7ec9c065010c686eba7bc562ef7fce4409
SHA5122b13ce3070ade7b053ddb4849dfca01cb97d7964dcbca5ead00fb0f6beeae7df48e89cf794e81bf40b819e999e30d8a3f1e86bb05e797f3b931ad5409822e8c0
-
Filesize
297KB
MD5cf612520f3bed0d00214fbb53652be1a
SHA1fa908b7209095944d721ea9590a19c095109b4b7
SHA2565dff57936defc6fb00076ef0db5302b649161af1f0400b7d22dcaf516b125cb1
SHA5122ca84aa300a46a62977b11d2e6230a2cb7734d04645848d7ee46ec1a99c6947fc71134b675f218dd32989284eda7d2a995d32e2e78c44474e8bcb55dd8754df9