General

  • Target

    Factura.exe

  • Size

    541KB

  • Sample

    240903-qec5qsydrc

  • MD5

    b474081dbbfe5e29ccef7c820dc378ad

  • SHA1

    c2fff6685dbddcc07f94fbcce40f32b2bec7f823

  • SHA256

    77d7c5f6925455c74f6ce5f9e22e958ca129a78e5bff20b0845c2cefb4682d68

  • SHA512

    733aac7db3aa8a5fd47a13d9324955f18b5c6ceb37060fd8b26fae9e64406a9526f9ed6ccb8864cf649090205369a135036c98377bfc9bbb10fe71445e673172

  • SSDEEP

    12288:WbElBJTA2lN4R+2QWfd4jFs0eZhDKxORueodoF08/PE9UlJiLXqli6:WYlBpjN4RfdA65TDKxORue0oGSPaIP

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      Factura.exe

    • Size

      541KB

    • MD5

      b474081dbbfe5e29ccef7c820dc378ad

    • SHA1

      c2fff6685dbddcc07f94fbcce40f32b2bec7f823

    • SHA256

      77d7c5f6925455c74f6ce5f9e22e958ca129a78e5bff20b0845c2cefb4682d68

    • SHA512

      733aac7db3aa8a5fd47a13d9324955f18b5c6ceb37060fd8b26fae9e64406a9526f9ed6ccb8864cf649090205369a135036c98377bfc9bbb10fe71445e673172

    • SSDEEP

      12288:WbElBJTA2lN4R+2QWfd4jFs0eZhDKxORueodoF08/PE9UlJiLXqli6:WYlBpjN4RfdA65TDKxORue0oGSPaIP

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks