Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    OC_0069960.pdf.exe

  • Size

    698KB

  • Sample

    240919-pnrttaybkc

  • MD5

    1b3d6a5c2478e4ff1fc016b5fcb9b25b

  • SHA1

    52e0a6ec9d17c331b36f48ded9b35ca16aafc10b

  • SHA256

    e5d71d130593a06ff0c8b0ab05d4c6bd448dd6cbd82c9ba62512a9d240620237

  • SHA512

    9dead747fecdc68e002d8089f8437a2e0e729e3a47291f99917b95f1b5119703d44b57c486df79d6d1b083a71936f726e9d75b6719236f9b029f44f218589389

  • SSDEEP

    12288:rLly7CoRIfzzZF5SbvHfDIPRiuqeoJ2n4lvygU2x3kXC3zjh92nedb6HH:rQ7CoKfzzA/DIPRVqtFqg0Oj2nedbc

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot6497814516:AAHas9Bu_Hsm8fSF5_kPM60KYlhgUBs0vww/sendMessage?chat_id=7220818658

Targets

    • Target

      OC_0069960.pdf.exe

    • Size

      698KB

    • MD5

      1b3d6a5c2478e4ff1fc016b5fcb9b25b

    • SHA1

      52e0a6ec9d17c331b36f48ded9b35ca16aafc10b

    • SHA256

      e5d71d130593a06ff0c8b0ab05d4c6bd448dd6cbd82c9ba62512a9d240620237

    • SHA512

      9dead747fecdc68e002d8089f8437a2e0e729e3a47291f99917b95f1b5119703d44b57c486df79d6d1b083a71936f726e9d75b6719236f9b029f44f218589389

    • SSDEEP

      12288:rLly7CoRIfzzZF5SbvHfDIPRiuqeoJ2n4lvygU2x3kXC3zjh92nedb6HH:rQ7CoKfzzA/DIPRVqtFqg0Oj2nedbc

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks