General

  • Target

    PAGO FRAS. AGOSTO 2024..exe

  • Size

    874KB

  • Sample

    241021-kyjhzazanm

  • MD5

    400ae56b0e2f429c20f563959042b2e9

  • SHA1

    383b18e2e55a4f7bea251cc82aec9cdae9f22fed

  • SHA256

    7e6de6e460ec2322a30dfeca3a723811d3ac15486fa2139a3454edbc7b1927df

  • SHA512

    cb9df99342ba1b59461f14256790e40d82db0d989e496b1e7ee3baaeea29de464f307831cc43688261a8e55a067d8d5538efdd3185695518c70cc84a67c3a827

  • SSDEEP

    24576:/FxyAEp6l1UyqTxWBhc+alCJmvulW6Nd0va:3ykYxTxA2+m7mwMAa

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      PAGO FRAS. AGOSTO 2024..exe

    • Size

      874KB

    • MD5

      400ae56b0e2f429c20f563959042b2e9

    • SHA1

      383b18e2e55a4f7bea251cc82aec9cdae9f22fed

    • SHA256

      7e6de6e460ec2322a30dfeca3a723811d3ac15486fa2139a3454edbc7b1927df

    • SHA512

      cb9df99342ba1b59461f14256790e40d82db0d989e496b1e7ee3baaeea29de464f307831cc43688261a8e55a067d8d5538efdd3185695518c70cc84a67c3a827

    • SSDEEP

      24576:/FxyAEp6l1UyqTxWBhc+alCJmvulW6Nd0va:3ykYxTxA2+m7mwMAa

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Accesses Microsoft Outlook profiles

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Vandrerlav.syn

    • Size

      53KB

    • MD5

      49efaa361fa814ae9123a4402a61a0d1

    • SHA1

      fb0d528bd5092db2edbf5cdfd170c4f99f95de3e

    • SHA256

      f60736c8ae2a891dd30ed3139b9a809f6db0a8073e6407f9fd3ea05cee092d5d

    • SHA512

      fff32029eeec0b5ff646941e636ac698220c1229eec0dc85060800da2f41382bb53537547d4a3bc7ae59d4ff68ae5fc71fe1fc5b50b89df12dbf4337dcd1350f

    • SSDEEP

      1536:rPamKP6L416FHUmCNBYsKvWubxxebyGOKYCpdvJd:rbKg7UmCHYxb2RvP

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks