General

  • Target

    1a08f58dcfbfa93816b453302440320837d854125a6a6e5999bd5642698f4123.exe

  • Size

    628KB

  • Sample

    240828-r77qgssdrh

  • MD5

    a7587617be34b17d5b28ead97a4943fc

  • SHA1

    d990182fb54b478ba299a65c28fd31c536881e0c

  • SHA256

    1a08f58dcfbfa93816b453302440320837d854125a6a6e5999bd5642698f4123

  • SHA512

    c12412145ec79eeb3f1a0f48471f6fa4efff870b21da996e258ef771a90e3424baccd0adc4475fd5ae3b8e02bbe6a097d093c2ae783e36c5ba646776b624e9ed

  • SSDEEP

    12288:ebFZsdRYzeQGOADGnQKfzNLGlo9g05UshRtcJ56tiHH2U+NM1LIA:IPsRQZADGtBCo9gdjVv

Malware Config

Extracted

Family

vipkeylogger

Credentials
C2

https://api.telegram.org/bot7509624540:AAHhg6fRy8hkuDF6yU2iSzbNZVKvlRagMx8/sendMessage?chat_id=7451270736

Targets

    • Target

      1a08f58dcfbfa93816b453302440320837d854125a6a6e5999bd5642698f4123.exe

    • Size

      628KB

    • MD5

      a7587617be34b17d5b28ead97a4943fc

    • SHA1

      d990182fb54b478ba299a65c28fd31c536881e0c

    • SHA256

      1a08f58dcfbfa93816b453302440320837d854125a6a6e5999bd5642698f4123

    • SHA512

      c12412145ec79eeb3f1a0f48471f6fa4efff870b21da996e258ef771a90e3424baccd0adc4475fd5ae3b8e02bbe6a097d093c2ae783e36c5ba646776b624e9ed

    • SSDEEP

      12288:ebFZsdRYzeQGOADGnQKfzNLGlo9g05UshRtcJ56tiHH2U+NM1LIA:IPsRQZADGtBCo9gdjVv

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks