Overview

overview

10

Static

static

3

Wuerth_fac...6..exe

windows7-x64

10

Wuerth_fac...6..exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL Twitter E-mail

General

  • Target

    Wuerth_factura_4052073226..exe

  • Size

    1.0MB

  • Sample

    241018-aagdlaxbjq

  • MD5

    787041cd8d6cd5e63534d1b060889a76

  • SHA1

    82da83771130fbe29d2443635757c3cf5c3949c6

  • SHA256

    4447fbf1066bc4f640abff84fcac04d0c86664f9823410348a36c280ac80e26d

  • SHA512

    76c61133334a5c0658a166bf2cbe4d737eb24bd17089622e5ee083b730a7f06d40d4346957890268a94cc7daf7eafe3da3918e4adadf710faca9a7ead36f4330

  • SSDEEP

    24576:4l4OsRyZEyJ2zgsJVXRMpYHpiLNutFYTYdk6Tc3:m4O/qyEcwKpDE+YdVTc3

Score
10/10
vipkeyloggercollectiondiscoverykeyloggerspywarestealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7777204705:AAGdGJgXaEaWvE6yXv7RvWYjJkTQCsiDnJc/sendMessage?chat_id=7698865320

Targets

    • Target

      Wuerth_factura_4052073226..exe

    • Size

      1.0MB

    • MD5

      787041cd8d6cd5e63534d1b060889a76

    • SHA1

      82da83771130fbe29d2443635757c3cf5c3949c6

    • SHA256

      4447fbf1066bc4f640abff84fcac04d0c86664f9823410348a36c280ac80e26d

    • SHA512

      76c61133334a5c0658a166bf2cbe4d737eb24bd17089622e5ee083b730a7f06d40d4346957890268a94cc7daf7eafe3da3918e4adadf710faca9a7ead36f4330

    • SSDEEP

      24576:4l4OsRyZEyJ2zgsJVXRMpYHpiLNutFYTYdk6Tc3:m4O/qyEcwKpDE+YdVTc3

    Score
    10/10
    vipkeyloggerdiscoverykeyloggerstealercollectionspyware

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      fc3772787eb239ef4d0399680dcc4343

    • SHA1

      db2fa99ec967178cd8057a14a428a8439a961a73

    • SHA256

      9b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed

    • SHA512

      79e491ca4591a5da70116114b7fbb66ee15a0532386035e980c9dfe7afb59b1f9d9c758891e25bfb45c36b07afd3e171bac37a86c887387ef0e80b1eaf296c89

    • SSDEEP

      192:eS24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35OloSl:S8QIl975eXqlWBrz7YLOlo

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks