Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    PI ITS15235.doc

  • Size

    143KB

  • Sample

    250114-hxmswssphj

  • MD5

    c8e60db8174345c243187675d4c760de

  • SHA1

    34bdd0903708f1ab747cbb45a6a292517e1df83e

  • SHA256

    94519fee9d47fd0262d1dd50e0bf20ea7cb0962b3a1e1de217c5f462b0633fab

  • SHA512

    ae643f21123ef8514bf4ac405f0f385534b7d87fa681669d8bc276b81cecfce0e4660843aa442ec52882ca66e8f7cf80c3952bd0fc039ac5dc0d8047b970e769

  • SSDEEP

    1536:L7dgmjjy2lQkySTUb2roegTK+g9WomfaQjSqttJnkL5mS9kBwNR42q8Z:LZPjbTU+J799IjSqtteL5N9kBF2

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.irco.com.sa
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    info12A

Extracted

Family

vipkeylogger

Targets

    • Target

      PI ITS15235.doc

    • Size

      143KB

    • MD5

      c8e60db8174345c243187675d4c760de

    • SHA1

      34bdd0903708f1ab747cbb45a6a292517e1df83e

    • SHA256

      94519fee9d47fd0262d1dd50e0bf20ea7cb0962b3a1e1de217c5f462b0633fab

    • SHA512

      ae643f21123ef8514bf4ac405f0f385534b7d87fa681669d8bc276b81cecfce0e4660843aa442ec52882ca66e8f7cf80c3952bd0fc039ac5dc0d8047b970e769

    • SSDEEP

      1536:L7dgmjjy2lQkySTUb2roegTK+g9WomfaQjSqttJnkL5mS9kBwNR42q8Z:LZPjbTU+J799IjSqtteL5N9kBF2

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks