General

  • Target

    5af68288206ce122104dff83ffbbd10e0a7743e4101c418ccf76b0f4ea94096e.exe

  • Size

    608KB

  • Sample

    240828-sg7s8sshnf

  • MD5

    39286045ee263da904defc09ae60f82d

  • SHA1

    c9dd094a86ec03a437ef6419d5c1a2c8a685717f

  • SHA256

    5af68288206ce122104dff83ffbbd10e0a7743e4101c418ccf76b0f4ea94096e

  • SHA512

    4203297307590d525900b027890ba97b2b2ec7381020e093c5db1543331242b1950e8a51726d5c609b4e80d6f3c9b0bf477a0be378308df27b6bc4fa9a5308d7

  • SSDEEP

    12288:XbFZEP2kYGZakyOPu4yA97OjDWVNMHH2U+NM1LIQ:LPEPbYGO4yAGDZVr

Malware Config

Extracted

Family

vipkeylogger

Credentials
C2

https://api.telegram.org/bot7217871082:AAHWvKm2slJ7gY6FwmyWidwOa0RVoSaM_R8/sendMessage?chat_id=7137773399

Targets

    • Target

      5af68288206ce122104dff83ffbbd10e0a7743e4101c418ccf76b0f4ea94096e.exe

    • Size

      608KB

    • MD5

      39286045ee263da904defc09ae60f82d

    • SHA1

      c9dd094a86ec03a437ef6419d5c1a2c8a685717f

    • SHA256

      5af68288206ce122104dff83ffbbd10e0a7743e4101c418ccf76b0f4ea94096e

    • SHA512

      4203297307590d525900b027890ba97b2b2ec7381020e093c5db1543331242b1950e8a51726d5c609b4e80d6f3c9b0bf477a0be378308df27b6bc4fa9a5308d7

    • SSDEEP

      12288:XbFZEP2kYGZakyOPu4yA97OjDWVNMHH2U+NM1LIQ:LPEPbYGO4yAGDZVr

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks