General

  • Target

    7c1ad8a54344a8a03746095e7c599266cf9c0a7d62b87e9b3e4a677e70539ed9

  • Size

    536KB

  • Sample

    240903-mcyf4svfpf

  • MD5

    43250fd2686374021b7e5f2115c25804

  • SHA1

    94d018be9a9c79285c6e4e5e0ce0afa6772ea08d

  • SHA256

    7c1ad8a54344a8a03746095e7c599266cf9c0a7d62b87e9b3e4a677e70539ed9

  • SHA512

    5c793b4cbc90dfbcc50ad12c90fd036fc20f57ed59f8043dd8987cb1a370467967a7c4ca1e6ca7fa72f60fd60dc48b8686714fb4815be7c465060e860096b1ce

  • SSDEEP

    12288:K/nbhailLak44/I46g33kyDxnjVF+mfKJYdFSmyXFFhDsOfOw9PmQ3v:KfbLlt/G635nRF+kHdEmcFFhDF3Jm6

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot6514469045:AAGgK1KLWbAJZ7dNmeGHg2OB9PfOTjGrT08/sendMessage?chat_id=6070006284

Targets

    • Target

      Skrumle.exe

    • Size

      549KB

    • MD5

      278b43ed6614a0e9c3aff6f71413ec3e

    • SHA1

      5a7f4d176616ddab152a042a0b51dc749342f234

    • SHA256

      e6ef239f60467f0428bd611f70d544754a56143c661fa4a025b395f152575644

    • SHA512

      274296754d8d2167f92f82e06a577162e8aafef1ad2abeadd1d62e291b4ca932df8e1315916f9bd4f50d281ff7b0398a3b4cec2e99b38361261c9ce0feca3fc5

    • SSDEEP

      12288:WL7WI/16Qw1BP5eTTmvsKVzQInWdahufDou:WvW+16QG8sW5fcu

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks