General

  • Target

    P.I.rar

  • Size

    777KB

  • Sample

    240930-nqasmsshml

  • MD5

    077c95f63d1afc0bcdb8e90950266d35

  • SHA1

    44cb2638939945e91756028c7e3ecfb0f2fb4a70

  • SHA256

    cc0aae85f487ba5223113115f450b48fad440ea76a775da472a65a3f3a92e980

  • SHA512

    0c649461b0fc28b49734bc2ecff4c672cd6801f67e927e7e7c1ce382b7b74639b0eef0a440be8a3c16a0bd97cef74d7d56db1678e44c9081b845bfd33940889a

  • SSDEEP

    24576:XGxnWXbE/a4NlkAweI7+0oQ2RhEm8wmp9vO2m5z6:XBE/aiqejPRF8hzv33

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      P.I.exe

    • Size

      805KB

    • MD5

      b6468b8eaaaebf85fa865fc21916f188

    • SHA1

      635f172f33361c94f19e320f3f0361956a81127f

    • SHA256

      3e39fdec85324251b3a2884f774f3427dddae31b9fca625ff3a7c4045ce4c9ef

    • SHA512

      fd03e7e3c5eb08de6be8089a9653b5a8973c2db984557fc55442a03b1eb4754686c6ebb80afa9f172a0d565bc5db9b3f6118d9171c93e7a850709610bc6cf1b3

    • SSDEEP

      12288:0CVTcsOSgBDm70Wxw2MKLtSGDvQhZybpi/3Qh0Uk7umqpo32nm3G4JxoZtWt:/VTcsrgw7de4SUviyw//7W2Gnm3Tw2t

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks