Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Hesap Hare...25.exe

windows7-x64

8

Hesap Hare...25.exe

windows10-2004-x64

10

Synligeres.ps1

windows7-x64

3

Synligeres.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Hesap Hareketleri 24-03-2025.exe

  • Size

    1.2MB

  • Sample

    250325-t82a7sspy6

  • MD5

    b20c9b533a3653d9d3df96f0839aa9f0

  • SHA1

    81e1b8c8194f3400ccf994868ad80c5e593f99fd

  • SHA256

    bcd4c78326d20e0467c2f25bf48918f11e477206c88e49add8a5db66e2c89eba

  • SHA512

    0551463b9db98d4f7e0fc1f5b10e1d78289392d0022c7738425c222351d43a6d509808e7a358ffbb6bd878976a39a26d80371d7dfe9f3ce3f0e329755b55d8ad

  • SSDEEP

    24576:KCw1KkcWmYFvj/rYDVb3n/YMXNTlDSB1mWH1pZlLKXMJOCQP+/5q:O1KkNFjrYR3TlWB1H17snPIg

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      Hesap Hareketleri 24-03-2025.exe

    • Size

      1.2MB

    • MD5

      b20c9b533a3653d9d3df96f0839aa9f0

    • SHA1

      81e1b8c8194f3400ccf994868ad80c5e593f99fd

    • SHA256

      bcd4c78326d20e0467c2f25bf48918f11e477206c88e49add8a5db66e2c89eba

    • SHA512

      0551463b9db98d4f7e0fc1f5b10e1d78289392d0022c7738425c222351d43a6d509808e7a358ffbb6bd878976a39a26d80371d7dfe9f3ce3f0e329755b55d8ad

    • SSDEEP

      24576:KCw1KkcWmYFvj/rYDVb3n/YMXNTlDSB1mWH1pZlLKXMJOCQP+/5q:O1KkNFjrYR3TlWB1H17snPIg

    Score
    10/10
    discoveryexecutionvipkeyloggercollectionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Synligeres.Spi

    • Size

      50KB

    • MD5

      1b3d6301bfb47cc724b472b5d7c9f94f

    • SHA1

      2d6e1d5efe83eb495f7022ef1ecfc0726fc2406c

    • SHA256

      246696dc09994f4e4160a8ed84c0e4b22bdc6719653bf9928510f7577d9d60ab

    • SHA512

      ec48e3f164e4b49fd4234807773113285e009d1ae12317ae2899642c28f55cd0c0344d4d2de7eed490c81cabe4be292e594eef35801c2fe99bf1c15a160e48fe

    • SSDEEP

      1536:Q1zXl+xVD98H4h9GiTyzTKHX9EQcv/yHhKB0gLQ:Q1z1eSH09xTyzTbpST

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks