Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    cc4e80189451b050cc7bc90aa3fa787a4e3a50a0cc6f845fa68bdc849b1f5d14.exe

  • Size

    1.2MB

  • Sample

    241005-b8wrlsydjr

  • MD5

    99f8afeaf690544887a8bfc9243f3c7f

  • SHA1

    49ac8b9909d9c429530860e851a81f1262a5ce14

  • SHA256

    cc4e80189451b050cc7bc90aa3fa787a4e3a50a0cc6f845fa68bdc849b1f5d14

  • SHA512

    02b7f53d0430b172599f5449b78b83fe722fa5443e02e9b6b116a964d1cb008c5c0dd5d0909930f66c37bef6214bbb5d1c3f440ccb6e930f68462ba677d87e0a

  • SSDEEP

    24576:ffmMv6Ckr7Mny5QLpJtGoBCZNyozGcuYViYxy7Y5b:f3v+7/5QLpJaZNKcoYxPB

Malware Config

Extracted

Family

vipkeylogger

Credentials
C2

https://api.telegram.org/bot7323823089:AAFBRsTW94zIpSoDS8yfGsotlQLqF2I6TU0/sendMessage?chat_id=5013849544

Targets

    • Target

      cc4e80189451b050cc7bc90aa3fa787a4e3a50a0cc6f845fa68bdc849b1f5d14.exe

    • Size

      1.2MB

    • MD5

      99f8afeaf690544887a8bfc9243f3c7f

    • SHA1

      49ac8b9909d9c429530860e851a81f1262a5ce14

    • SHA256

      cc4e80189451b050cc7bc90aa3fa787a4e3a50a0cc6f845fa68bdc849b1f5d14

    • SHA512

      02b7f53d0430b172599f5449b78b83fe722fa5443e02e9b6b116a964d1cb008c5c0dd5d0909930f66c37bef6214bbb5d1c3f440ccb6e930f68462ba677d87e0a

    • SSDEEP

      24576:ffmMv6Ckr7Mny5QLpJtGoBCZNyozGcuYViYxy7Y5b:f3v+7/5QLpJaZNKcoYxPB

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks