General

  • Target

    RICHIESTA_OFFERTA_RDO2400423.docx.doc

  • Size

    264KB

  • Sample

    241003-pzh12sxhjr

  • MD5

    5efaab9d9accf59510dafa162e958340

  • SHA1

    4d2d9082c9e29d7f218feea392e3bb59a0b5719a

  • SHA256

    b5b6a451d04745638c7ecf24dbcc73655bb5942bf63a8da317bd7a6badb8dddf

  • SHA512

    b5e85d750249a1d4415fe29597720b7a7f293e0013d326d43d986cc966a2d12e4273fc66cef0a438be20eecca55be269e51ec13c28ed3e7f6b102d2ade0f9a99

  • SSDEEP

    6144:syrTTW+ch8x2ZpfRkdxyl+cOpFVozXHN5dOG:fwy2O1c0buXHNXF

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      RICHIESTA_OFFERTA_RDO2400423.docx.doc

    • Size

      264KB

    • MD5

      5efaab9d9accf59510dafa162e958340

    • SHA1

      4d2d9082c9e29d7f218feea392e3bb59a0b5719a

    • SHA256

      b5b6a451d04745638c7ecf24dbcc73655bb5942bf63a8da317bd7a6badb8dddf

    • SHA512

      b5e85d750249a1d4415fe29597720b7a7f293e0013d326d43d986cc966a2d12e4273fc66cef0a438be20eecca55be269e51ec13c28ed3e7f6b102d2ade0f9a99

    • SSDEEP

      6144:syrTTW+ch8x2ZpfRkdxyl+cOpFVozXHN5dOG:fwy2O1c0buXHNXF

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks