Overview

overview

10

Static

static

3

PO-94858.exe

windows7-x64

10

PO-94858.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO-94858.gz

  • Size

    771KB

  • Sample

    241017-r35qbs1gjb

  • MD5

    468ae169d3e9c45e78920edc96dff7f0

  • SHA1

    1e07cab00bf896f332aca09d20491b3efbadccbd

  • SHA256

    21c8b99227fa1f8c6148f5d4c9700c5902322e78d65e540032d6a6fe282e1757

  • SHA512

    9bf3c9ffd600107c5343e8f50dad4b9197e850e8aa44fa9dae38df4f2a69deb3ce71cb49d65bd7d8f5d4d16bc50db9cde4c8da4df7fafe066138d43bf6f378cc

  • SSDEEP

    24576:MXZ1oU9kdlx/INqTTYUYHJ1qQDFzKdM0D7hRRl:W/oU9b9DFzK6SRRl

Score
10/10
guloadervipkeyloggercollectiondiscoverydownloaderkeyloggerspywarestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      PO-94858.exe

    • Size

      876KB

    • MD5

      efeb7d261da3f778abf002c69a971eb8

    • SHA1

      f4e570bf56015da2c76faac8dc8f28a7e3a3d8a3

    • SHA256

      cf2afee6c1871706deb922c7105c9e5bf6a2bbaca312b1b4ec4951dcfa033ea7

    • SHA512

      5cbcd6b9b06f63019e9c00e47e4bee071079e81792ea8cd6173d4f544c15b852090f38e3a642dbc51dd357068634a4b769098204f9f409119a3675eb4d98487e

    • SSDEEP

      24576:sw5i21T5xhInKT/Y2ol8tdi817TWdg0F7RR:sV017TWSyR

    Score
    10/10
    guloadervipkeyloggerdiscoverydownloaderkeyloggerstealercollectionspyware

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      4d3b19a81bd51f8ce44b93643a4e3a99

    • SHA1

      35f8b00e85577b014080df98bd2c378351d9b3e9

    • SHA256

      fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce

    • SHA512

      b2ba9c961c0e1617f802990587a9000979ab5cc493ae2f8ca852eb43eeaf24916b0b29057dbff7d41a1797dfb2dce3db41990e8639b8f205771dbec3fd80f622

    • SSDEEP

      192:BPtkumJX7zB22kGwfy0mtVgkCPOse1un:u702k5qpdseQn

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks