Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    1de5f71b2ccfeba54c7e96e768b316d8ad2893f83fab070c504b33c3fb0e8de0

  • Size

    675KB

  • Sample

    240829-fy2mbsxdml

  • MD5

    bc471cd6b303bea21564e98c891e55af

  • SHA1

    08ce44b2c5a396a693d725a3e650819738b81cb0

  • SHA256

    1de5f71b2ccfeba54c7e96e768b316d8ad2893f83fab070c504b33c3fb0e8de0

  • SHA512

    eb56e1ab808681df5e37db172b3019e3f462eecc7e6ea4937b0420df892f21056daec6a0d7805d399d84c83c8b2c6092c27b581dc07db27dc288149c04600f82

  • SSDEEP

    12288:OJdhrwoPMY5DWQ0h7FEOLZxXDvXrBVJLvp9GYVdXqX93meKoA4+nvtdF3oV:8twZY5DQDpHBd9nbaxLKoA40w

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      SMT-SMTLEE.exe

    • Size

      695KB

    • MD5

      d86d32a91cd4fbf6b7ef7ee1593333d5

    • SHA1

      de006ba907db6b0cdc0b1ffd5ce0dc34575da3f5

    • SHA256

      04b2fa83d9f55ff2b689a6f8541cd7529c7c1166bda9be8cc46d5014f41fa1e1

    • SHA512

      70d0e8dcebbf6e77280c7b1ccd060386f0e25ec6da58044c32c0d5e9d8ce741bcf7a5bf64cd6af4da2a4498c7a5b88f515f0e90551276eedccb206be76481ded

    • SSDEEP

      12288:iVVGEHMe5DzoyMhBf8O/rDtTvLrBVJLvFs0YVQQyoGeKc5g/:0GLe5D6PVdBxsRxyorKcq

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks