General

  • Target

    27a27f7a05d98177ca443f7341412869205ce10deaec52148989f4ded45605fc.exe

  • Size

    439KB

  • Sample

    240828-bv4kas1dnj

  • MD5

    a3094d8d79d3b10a780b34f7aa33b5a5

  • SHA1

    a63a8485ef89c17dc52ebd2becece3ce0611f820

  • SHA256

    27a27f7a05d98177ca443f7341412869205ce10deaec52148989f4ded45605fc

  • SHA512

    7ef29f44cc49e995b9444d06a7d5761617d4c4a4eca94bb9cf3098d0f784d075826bb418f3fb6456e7f2f76a217410497ff6f33f0db1c667289a5b6c370d9b4c

  • SSDEEP

    12288:qcFfMljqwiITfk5AzYPB8phW3af7mIucSICc71RQ:qcJMlj7roJ2phse7mIpa

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      27a27f7a05d98177ca443f7341412869205ce10deaec52148989f4ded45605fc.exe

    • Size

      439KB

    • MD5

      a3094d8d79d3b10a780b34f7aa33b5a5

    • SHA1

      a63a8485ef89c17dc52ebd2becece3ce0611f820

    • SHA256

      27a27f7a05d98177ca443f7341412869205ce10deaec52148989f4ded45605fc

    • SHA512

      7ef29f44cc49e995b9444d06a7d5761617d4c4a4eca94bb9cf3098d0f784d075826bb418f3fb6456e7f2f76a217410497ff6f33f0db1c667289a5b6c370d9b4c

    • SSDEEP

      12288:qcFfMljqwiITfk5AzYPB8phW3af7mIucSICc71RQ:qcJMlj7roJ2phse7mIpa

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks