Overview

overview

10

Static

static

3

PO-94858.exe

windows7-x64

10

PO-94858.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    17102024_1341_17102024_PO-94858.gz

  • Size

    771KB

  • Sample

    241017-qzgzeszcka

  • MD5

    b77fba1ef9cb1a0d587c9e8d63d73119

  • SHA1

    74922a37d03732520fbaaa7adbd4eb7539a61279

  • SHA256

    d6d3e11dece00e76f60d74fb2c117ae261c961fbb37030fc8d6ad748510914ae

  • SHA512

    e1993a4c33d550becade96dd551218955a7785ea837cd1a2f533ab7095d2565da8206be76b977596ef718057e237ede0e42bc5941fb67bdd81a99d52e82285fc

  • SSDEEP

    24576:MXZ1oU9kdlx/INqTTYUYHJ1qQDFzKdM0D7hRRn:W/oU9b9DFzK6SRRn

Score
10/10
guloadervipkeyloggercollectiondiscoverydownloaderkeyloggerspywarestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      PO-94858.exe

    • Size

      876KB

    • MD5

      efeb7d261da3f778abf002c69a971eb8

    • SHA1

      f4e570bf56015da2c76faac8dc8f28a7e3a3d8a3

    • SHA256

      cf2afee6c1871706deb922c7105c9e5bf6a2bbaca312b1b4ec4951dcfa033ea7

    • SHA512

      5cbcd6b9b06f63019e9c00e47e4bee071079e81792ea8cd6173d4f544c15b852090f38e3a642dbc51dd357068634a4b769098204f9f409119a3675eb4d98487e

    • SSDEEP

      24576:sw5i21T5xhInKT/Y2ol8tdi817TWdg0F7RR:sV017TWSyR

    Score
    10/10
    guloadervipkeyloggerdiscoverydownloaderkeyloggerstealercollectionspyware

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      4d3b19a81bd51f8ce44b93643a4e3a99

    • SHA1

      35f8b00e85577b014080df98bd2c378351d9b3e9

    • SHA256

      fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce

    • SHA512

      b2ba9c961c0e1617f802990587a9000979ab5cc493ae2f8ca852eb43eeaf24916b0b29057dbff7d41a1797dfb2dce3db41990e8639b8f205771dbec3fd80f622

    • SSDEEP

      192:BPtkumJX7zB22kGwfy0mtVgkCPOse1un:u702k5qpdseQn

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks