Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    b3dfc135ae9f16cdabbaa4a371f0ab7411a3ec9d2d77c8e34bd533e9cc1b835f.zip

  • Size

    635KB

  • Sample

    241009-cnnqyaxdlb

  • MD5

    e9ceef64a8a9d1b411592f0c82f954cd

  • SHA1

    ad94d567b0a2fa5dfb625a76e5aad618ea793f33

  • SHA256

    b3dfc135ae9f16cdabbaa4a371f0ab7411a3ec9d2d77c8e34bd533e9cc1b835f

  • SHA512

    81ecdb0e5a908abf77d6462413e56b6e5a375f1fd3e6f199ede7669dc3109c1138af92142596bd0e50e05cce3f11fc4ea5e6fe0b5248d3cb09e10b39888481a3

  • SSDEEP

    12288:cDkb24tOjHKHxvENIOisIcWmZFlJUWZv1E9iBOwpjdWJsJyEAuRwc+:HjOjuqNF0klJD38wp0KJvT+

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7447202022:AAGD0i86CLrQjVCFNJEDT_YnT4c6StGryyE/sendMessage?chat_id=7155582826

Targets

    • Target

      PO-009 Compurent.exe

    • Size

      658KB

    • MD5

      339e40c9c69f587ecf57fb4f34df3da0

    • SHA1

      fe477958b4a728dab031ecbd5ea0c6a9a985c467

    • SHA256

      5e27cf81fa5bf72f66bdb2bba36e9bd04f231ea0c27327b7fbe71370a32c306b

    • SHA512

      c33535028de2ad8c05db54f85f7184ea0805a97d30f6187993b8204c53d8885afd787503b714cbebb0ef787fc46352ae00ebf903742156f348088bc8b6dcade5

    • SSDEEP

      12288:X17kvBCirdHKzxLEJIOjeaIc0mZ7DXiWbv5O9EBOw1jbWfOJyEqum6coTr4:X1ociZYiJ/sSDXzB8w122JYoTk

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks