Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Untangibility90.exe

windows7-x64

8

Untangibility90.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PEDIDO161224.rar

  • Size

    1.0MB

  • Sample

    241217-hzqbsstmgz

  • MD5

    5512e6253667a66d7300cac2b8f51b7f

  • SHA1

    da9659a0350a4d575184c62b47bcfb6618aa4a8d

  • SHA256

    e71a63d388fdcf8ad7fa5b03592fa116469a8a9f1bdcbbcb7aa459665905ff8a

  • SHA512

    fbbc25e11b540de4dd76d6d73863d75bda05f9f32dbb04a8cf101ed480635f066a8fa9812ec8af06d5cdc52d6d211837e136db1c5a0657b092fed364c9f4b9d5

  • SSDEEP

    24576:YaTMjZaerEV0kqXJ+ny3Nyq5loFJKiTlyvytMEGF3Yy:YfjZaGEQJuSyElIJr1G9X

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7668974942:AAFyrHvXMv2uhMX9l0hNEPNVnFxCDfLErLs/sendMessage?chat_id=7295320361

Targets

    • Target

      Untangibility90.exe

    • Size

      1.1MB

    • MD5

      343b6d84d887fc6f42e259c22ddce824

    • SHA1

      e7423cd8620ecb4dee9e1781386c1d0273bcd373

    • SHA256

      dd5ae442b593e4611d93ddcf5606f20ea4686a9d63b46f546a7f86bd1785d41b

    • SHA512

      1b697bd0446b44c05fc2cea0ea073476486c8f754797c714a6dc4578267dcc8a23243c0c65b9a7cd603a0b3bbf4cd5c995aae75cddd9759f69cb3d28e9785852

    • SSDEEP

      24576:ONrNYo3K+3fC/j6U3VwV5k7j5awX300zQUGtZV:e+L463VwXgj5aEkHUGtZV

    Score
    10/10
    discoveryexecutionvipkeyloggercollectionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      7KB

    • MD5

      675c4948e1efc929edcabfe67148eddd

    • SHA1

      f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

    • SHA256

      1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

    • SHA512

      61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

    • SSDEEP

      96:J9zdzBzMDByZtr/HDQIUIq9m6v6vBckzu9wSBpLEgvElHlernNQaSGYuH2DQ:JykDr/HA5v6G2IElFernNQZGdHW

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks