Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    2681c94188aa6193f7b51cafa73d0d0edc72e0c4e78fd29aa286e22e24583c63

  • Size

    504KB

  • Sample

    240904-sewcestfrc

  • MD5

    a5c58b6e9f7baec7cf317cf5c9e8100f

  • SHA1

    651583cc9b838369215a77685219485e0880a530

  • SHA256

    2681c94188aa6193f7b51cafa73d0d0edc72e0c4e78fd29aa286e22e24583c63

  • SHA512

    3941c069b8d903e40cfb1e1dbdfbf053ebf821e2e172ffc01d5d3a2c1fa364c7409d55501d12de6de4fa855a268cba288e60902258c9a5ecb52d86be2bc7ada0

  • SSDEEP

    12288:/+ehe83uP9Jeb4Y/vq/JjcA92LcaihP47nxNS9VICYXuHj2Yj0iAM:/zluP9I/yhcMRuxNS9iaD2A03M

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot6514469045:AAGgK1KLWbAJZ7dNmeGHg2OB9PfOTjGrT08/sendMessage?chat_id=6070006284

Targets

    • Target

      Lykkeskillingerne.exe

    • Size

      517KB

    • MD5

      a61d199b40c46ea1e0b9bb6f12165881

    • SHA1

      9ce4221b5c7d8a67ba54b0709d5bbcc893ceed02

    • SHA256

      c4f370cc453d04a84606b36451353fe65c56a5e758b2c138a23fc3741d7f4df9

    • SHA512

      11274f2ea8c4c181e4a0163a947e7d893697db2b0dcb7a280e3a0e37059bb4d02998c0d32b1cc84084fe8e7d9684cec21da708ccefe0628711053626a09beb85

    • SSDEEP

      12288:WZGcVEfEyolcupbbn6/tT9XfSJ37tdrQW:WZbSfEyolpb6FTM7dr9

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks