General

  • Target

    3f0f5c91cc7222f6b1a50d6b885cdf84d71e6a3f7810f6ea15830d237393acdf.exe

  • Size

    610KB

  • Sample

    240828-sdt3zasgle

  • MD5

    c2d013bab9d089ed4d1493d784a39708

  • SHA1

    ee48217718e678e63bb8d8701f1f1984c66e65f6

  • SHA256

    3f0f5c91cc7222f6b1a50d6b885cdf84d71e6a3f7810f6ea15830d237393acdf

  • SHA512

    3fdb943e6dbd9d84725516db1e05fe7536c8907fdb4b8ac7f1d70133055d27f90d988597c6ea238401a641a65c6fe43f2d07cfb7b83f7e7b5ef6ba1cd17c8594

  • SSDEEP

    12288:nbFZTcJ/Wdc7YmNI4Hg3jHrLVaBXtCyEMPHH2U+NM1LI:bPT8/MM1s3LKXtCp2V

Malware Config

Extracted

Family

vipkeylogger

Credentials
C2

https://api.telegram.org/bot7279152827:AAG-WZ02OUAib28bSfyl1nfxZXIa0IdG1b4/sendMessage?chat_id=5913849875

Targets

    • Target

      3f0f5c91cc7222f6b1a50d6b885cdf84d71e6a3f7810f6ea15830d237393acdf.exe

    • Size

      610KB

    • MD5

      c2d013bab9d089ed4d1493d784a39708

    • SHA1

      ee48217718e678e63bb8d8701f1f1984c66e65f6

    • SHA256

      3f0f5c91cc7222f6b1a50d6b885cdf84d71e6a3f7810f6ea15830d237393acdf

    • SHA512

      3fdb943e6dbd9d84725516db1e05fe7536c8907fdb4b8ac7f1d70133055d27f90d988597c6ea238401a641a65c6fe43f2d07cfb7b83f7e7b5ef6ba1cd17c8594

    • SSDEEP

      12288:nbFZTcJ/Wdc7YmNI4Hg3jHrLVaBXtCyEMPHH2U+NM1LI:bPT8/MM1s3LKXtCp2V

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks