General

  • Target

    Unmovablety.exe

  • Size

    541KB

  • Sample

    240902-lfl2taxbqk

  • MD5

    f1f60d1a0e1fb37935260f7404efb573

  • SHA1

    6cbf09ce82885ae8a3006a8c1b0a86ad42d4e55c

  • SHA256

    94410d4feaedbb9e2d405cedf3d950c83b0a1d9e0546ba536c5f5ff45c38898e

  • SHA512

    ff29bc44c8b930a9ee9da6f2e26a2a01af1a38d805e8d6ead9115faa92aa10c198ed12339f79c583743dc7919114be15fddf8cad35eb2cc7c69f2dd87764bae4

  • SSDEEP

    12288:WZYdCQrWEIxoOOpSRB1fVFGBMLSn0RrvXKCFfaM3ivOqjz:W2dCQpPpS9fVFGBMLI0l62yMyvO6z

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7480851360:AAFGFIgeYioB7dUKsMFuCrt400Zxu2IugeM/sendMessage?chat_id=6070006284

Targets

    • Target

      Unmovablety.exe

    • Size

      541KB

    • MD5

      f1f60d1a0e1fb37935260f7404efb573

    • SHA1

      6cbf09ce82885ae8a3006a8c1b0a86ad42d4e55c

    • SHA256

      94410d4feaedbb9e2d405cedf3d950c83b0a1d9e0546ba536c5f5ff45c38898e

    • SHA512

      ff29bc44c8b930a9ee9da6f2e26a2a01af1a38d805e8d6ead9115faa92aa10c198ed12339f79c583743dc7919114be15fddf8cad35eb2cc7c69f2dd87764bae4

    • SSDEEP

      12288:WZYdCQrWEIxoOOpSRB1fVFGBMLSn0RrvXKCFfaM3ivOqjz:W2dCQpPpS9fVFGBMLI0l62yMyvO6z

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks