General
-
Target
SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe
-
Size
1.2MB
-
Sample
240925-txh1gsybrf
-
MD5
bfc2f15c9fbb61f2f666642b13128192
-
SHA1
f201a42946422e7efd6d878ba2f4c5d8c4acee31
-
SHA256
ffac4f21d52da5b3179d991d975be683789f0c450b8fc1712ff5dbafb0cc72c4
-
SHA512
2fac6e6d185b1b653119f35a8a6490e065d3a4d73d310c0b12b9d8223e39f8c119035e105420130231044f6b83c68252cca1ac2c5c415631b76996601ed6e37e
-
SSDEEP
24576:pRmJkcoQricOIQxiZY1iaJOfhm+R6BIQczyvq6LC/LQ4yZG6T7frw/5:mJZoQrbTFZY1iaJZtKQccq6LeU3rc5
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
Password: D4v_8+edvC?l. .
Extracted
vipkeylogger
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
Password: D4v_8+edvC?l. . - Email To:
[email protected]
Targets
-
-
Target
SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe
-
Size
1.2MB
-
MD5
bfc2f15c9fbb61f2f666642b13128192
-
SHA1
f201a42946422e7efd6d878ba2f4c5d8c4acee31
-
SHA256
ffac4f21d52da5b3179d991d975be683789f0c450b8fc1712ff5dbafb0cc72c4
-
SHA512
2fac6e6d185b1b653119f35a8a6490e065d3a4d73d310c0b12b9d8223e39f8c119035e105420130231044f6b83c68252cca1ac2c5c415631b76996601ed6e37e
-
SSDEEP
24576:pRmJkcoQricOIQxiZY1iaJOfhm+R6BIQczyvq6LC/LQ4yZG6T7frw/5:mJZoQrbTFZY1iaJZtKQccq6LeU3rc5
Score10/10-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-