General

  • Target

    FACTURARAGOZA.exe

  • Size

    840KB

  • Sample

    241021-lbnpvayamd

  • MD5

    8b7d3863a10666b5b4fca4230c413755

  • SHA1

    1125d82c42bb40664961ee5b57d29da65cd300b0

  • SHA256

    7c4a22d1264cf34a71cce344a1a5e38bbe50ab5bf7bd560d98e04759c1bd6029

  • SHA512

    16cb86bc69971e7b97a229f7d4ba7abd33d1eea721980f794c8472dd549b263758dbcd68a3b9269fefe255560dc820612ad9ee819aaab692b12073c93ad7b5a9

  • SSDEEP

    12288:l98Xpcv5nBOae+1lEPE5PyZHIETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZz0mas:/Mp0OzolUHI+alCJmvulW6Nd0vs

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      FACTURARAGOZA.exe

    • Size

      840KB

    • MD5

      8b7d3863a10666b5b4fca4230c413755

    • SHA1

      1125d82c42bb40664961ee5b57d29da65cd300b0

    • SHA256

      7c4a22d1264cf34a71cce344a1a5e38bbe50ab5bf7bd560d98e04759c1bd6029

    • SHA512

      16cb86bc69971e7b97a229f7d4ba7abd33d1eea721980f794c8472dd549b263758dbcd68a3b9269fefe255560dc820612ad9ee819aaab692b12073c93ad7b5a9

    • SSDEEP

      12288:l98Xpcv5nBOae+1lEPE5PyZHIETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZz0mas:/Mp0OzolUHI+alCJmvulW6Nd0vs

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Accesses Microsoft Outlook profiles

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Eeriness.Jen

    • Size

      52KB

    • MD5

      e2e26c97990da8cb9c55ee8c58b978b7

    • SHA1

      234394c3b09003f750f25fca64fa913af426e2b0

    • SHA256

      e0811f5bd681f1d6f459bff5a17d9eca6c0eb20d715b6b0d2226f716a27716df

    • SHA512

      00884ccbddc2236d90029fa120b500ca2253574b00621bf74d41d04b89337f54a253837d477b7bb0f5d99c58e6a16e53c4bf5a2f5ca75ae345df5feaef25c5a2

    • SSDEEP

      768:uZO8t25IA76eZYpd1LpO8b9a8TkKBorle3uAKAF9ptPwejG4HdjdeZi3JV8dUYM6:VEjiYlO09/zYeV7zPG49jdBcB

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks