Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    a3313af3a13e7801576cbcd9399e9b73d1a8e8f4940c1d44f0014513e2ce17b1.exe

  • Size

    791KB

  • Sample

    240822-mkj9fssajf

  • MD5

    ca72531e5be781f589e9a3a6790f21bf

  • SHA1

    8cea2052547bdb3cf23cceb3671a7e28a8b2da3b

  • SHA256

    a3313af3a13e7801576cbcd9399e9b73d1a8e8f4940c1d44f0014513e2ce17b1

  • SHA512

    609f89c83144412f182e8ac555c7194843425c2563b2b517d0f0d6d6ff9baa4ee715756d6df5871b3a455c488eef5a5ddfed0651c8ad6bd00dae0934b4c74cde

  • SSDEEP

    24576:N5xLg+D+BlYfXYgZEKBKF4p5WV4EYONV:DxLxD4lbgZEFF4KV4EYO

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7470097193:AAH7g9zj8FQx12YOFkn9mZO_1-BTN4b6gKo/sendMessage?chat_id=6155920142

Targets

    • Target

      a3313af3a13e7801576cbcd9399e9b73d1a8e8f4940c1d44f0014513e2ce17b1.exe

    • Size

      791KB

    • MD5

      ca72531e5be781f589e9a3a6790f21bf

    • SHA1

      8cea2052547bdb3cf23cceb3671a7e28a8b2da3b

    • SHA256

      a3313af3a13e7801576cbcd9399e9b73d1a8e8f4940c1d44f0014513e2ce17b1

    • SHA512

      609f89c83144412f182e8ac555c7194843425c2563b2b517d0f0d6d6ff9baa4ee715756d6df5871b3a455c488eef5a5ddfed0651c8ad6bd00dae0934b4c74cde

    • SSDEEP

      24576:N5xLg+D+BlYfXYgZEKBKF4p5WV4EYONV:DxLxD4lbgZEFF4KV4EYO

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks