General

  • Target

    tmtzxc.doc

  • Size

    590KB

  • Sample

    241001-r27hjavcjp

  • MD5

    08d1a4e26971fd55013dbc7d2744b2a5

  • SHA1

    dd813694fc67b536f242ae7dd3deff14458b82ba

  • SHA256

    fd1ca8e9ebe962f23b55669ea495bdb32073b7359031e80a7067d387c0bfa8dc

  • SHA512

    3c34748ed68738a24d6c7f1482b4b2f5a26fb6c2a85a1fc0a5303123928fb56974532af9d43b9bb9027558a03be79cf31b48a0c4cb28c41fd833f25e8bb035b6

  • SSDEEP

    3072:nsa7eTzUetoCmiSHnm3WscLmvSVs+aN0X4rP55:nsYeXSG3WscLmvSa+aNyG55

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      tmtzxc.doc

    • Size

      590KB

    • MD5

      08d1a4e26971fd55013dbc7d2744b2a5

    • SHA1

      dd813694fc67b536f242ae7dd3deff14458b82ba

    • SHA256

      fd1ca8e9ebe962f23b55669ea495bdb32073b7359031e80a7067d387c0bfa8dc

    • SHA512

      3c34748ed68738a24d6c7f1482b4b2f5a26fb6c2a85a1fc0a5303123928fb56974532af9d43b9bb9027558a03be79cf31b48a0c4cb28c41fd833f25e8bb035b6

    • SSDEEP

      3072:nsa7eTzUetoCmiSHnm3WscLmvSVs+aN0X4rP55:nsYeXSG3WscLmvSa+aNyG55

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks