General

  • Target

    0815e4fcd9b75660891ec15ce119fa70N.exe

  • Size

    698KB

  • Sample

    240831-2a8lmayflg

  • MD5

    0815e4fcd9b75660891ec15ce119fa70

  • SHA1

    7f8c1c73194725dce424b72ff2306203f3590c3b

  • SHA256

    89a9123df318a4c77a378e687f5e4c1c7f7806d64c85a7360a556b487343a49b

  • SHA512

    c613b96c177294bbbfce2e0b86d15f32d2c7c579bf4c50ef0940ae697e7cfa0f36512ff7fa221c2a5b6963ca6b000b34876707bdc56351c20d20a3ee54fa68ba

  • SSDEEP

    12288:67MJHZFQpHB5LOBTCUbINBoQYwXsCGJt5aFp0zS6w+CAG0snsQc:6IJHoph5CBTCUUN6QYwZrH6VfAsQc

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7480851360:AAFGFIgeYioB7dUKsMFuCrt400Zxu2IugeM/sendMessage?chat_id=6070006284

Targets

    • Target

      0815e4fcd9b75660891ec15ce119fa70N.exe

    • Size

      698KB

    • MD5

      0815e4fcd9b75660891ec15ce119fa70

    • SHA1

      7f8c1c73194725dce424b72ff2306203f3590c3b

    • SHA256

      89a9123df318a4c77a378e687f5e4c1c7f7806d64c85a7360a556b487343a49b

    • SHA512

      c613b96c177294bbbfce2e0b86d15f32d2c7c579bf4c50ef0940ae697e7cfa0f36512ff7fa221c2a5b6963ca6b000b34876707bdc56351c20d20a3ee54fa68ba

    • SSDEEP

      12288:67MJHZFQpHB5LOBTCUbINBoQYwXsCGJt5aFp0zS6w+CAG0snsQc:6IJHoph5CBTCUUN6QYwZrH6VfAsQc

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks