Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

rPedidodeC...df.exe

windows7-x64

4

rPedidodeC...df.exe

windows10-2004-x64

10

Burrawang.ps1

windows7-x64

3

Burrawang.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    rPedidodeCota____o-20250325_pdf.exe

  • Size

    691KB

  • Sample

    250325-vh6nnsy1av

  • MD5

    8f54f3992cc7a3da06c8a617b5816419

  • SHA1

    a9e4a75e65b80860b3267a9883001617ca836d95

  • SHA256

    1f20d50f886138f94232c9b6b848163f5ed7edf4ed473c1507411b06b840debf

  • SHA512

    543aeceb7732758d063371538f9ef549b8542e7c586693c67b81840b57700f1500f359782d6c07ebb5222182c9c0d728ff39474e240fe0133851835c36c5b609

  • SSDEEP

    12288:mk+LIW771Zv4Wivvf+Nlv7c6YWRdxk4JzpnAwTIEUvKkwvqGMeys1c:SLjbv4WivvWNlvoMdm4JFAlMPmac

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      rPedidodeCota____o-20250325_pdf.exe

    • Size

      691KB

    • MD5

      8f54f3992cc7a3da06c8a617b5816419

    • SHA1

      a9e4a75e65b80860b3267a9883001617ca836d95

    • SHA256

      1f20d50f886138f94232c9b6b848163f5ed7edf4ed473c1507411b06b840debf

    • SHA512

      543aeceb7732758d063371538f9ef549b8542e7c586693c67b81840b57700f1500f359782d6c07ebb5222182c9c0d728ff39474e240fe0133851835c36c5b609

    • SSDEEP

      12288:mk+LIW771Zv4Wivvf+Nlv7c6YWRdxk4JzpnAwTIEUvKkwvqGMeys1c:SLjbv4WivvWNlvoMdm4JFAlMPmac

    Score
    10/10
    discoveryexecutionvipkeyloggercollectionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Burrawang.Euo

    • Size

      50KB

    • MD5

      6d32d99c206a81fcfc06d7ed6225282d

    • SHA1

      f3740ea1acaa8452aa34a4dda3c1a6865881845c

    • SHA256

      d8602baba5af6700d20d5e2048fd527b3d84e4c5c78abb1b95f9abb20fee2c94

    • SHA512

      f430ed98550e4fdf4bd1905251ab0f81374c88b29d245a6c5fba7c1e9fd58d01b93467efd2e7813e7b37e76affdb985a24bdae715eb07f9215d77fd77253f22b

    • SSDEEP

      1536:HyMLcrTk2qMrlNQFNynfVkkyRDWSW1cZJI4:HZIXYnIkZWSW1K

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks