General

  • Target

    RemmitanceforInvoiceINV67537829Payment.pdf.exe

  • Size

    856KB

  • Sample

    241021-rbjzjsyblq

  • MD5

    86632775e2f5776bfce4c7e2df632903

  • SHA1

    921d772df60b49676ae2c512fcc15e86d33965ca

  • SHA256

    e1f1e5970511d1bebefffb1d2da35cc65cd287d9c7be042c194fa8f8dce37cec

  • SHA512

    e3169916e2144e9f64e2eafa13805c231713733fc213e5827f6d38af3ff47383eee819389e8df9265067f374e1f93432e5288175c9c6ba3d09721a67b58caeec

  • SSDEEP

    24576:/aApdWAzcP5hb7e79uU9Pq/33Grj+alCJmvulW6Nd0v6:ppd1cRN6pMS+m7mwMA6

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      RemmitanceforInvoiceINV67537829Payment.pdf.exe

    • Size

      856KB

    • MD5

      86632775e2f5776bfce4c7e2df632903

    • SHA1

      921d772df60b49676ae2c512fcc15e86d33965ca

    • SHA256

      e1f1e5970511d1bebefffb1d2da35cc65cd287d9c7be042c194fa8f8dce37cec

    • SHA512

      e3169916e2144e9f64e2eafa13805c231713733fc213e5827f6d38af3ff47383eee819389e8df9265067f374e1f93432e5288175c9c6ba3d09721a67b58caeec

    • SSDEEP

      24576:/aApdWAzcP5hb7e79uU9Pq/33Grj+alCJmvulW6Nd0v6:ppd1cRN6pMS+m7mwMA6

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Accesses Microsoft Outlook profiles

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Minerological.Ane

    • Size

      52KB

    • MD5

      8825d00bcab0f9536304af576722fab8

    • SHA1

      f931760c113be56731d6f5d8a0c46c5c45745e96

    • SHA256

      27c53caf883a115601f8cdb182d4edc4e029ec1d5c7fb3b932ec5adf4da03d77

    • SHA512

      2f49b3a74a2cc728693d17fbf4240a47ee4a21d0a982ac2c7f8925b614c8492cd4c1af5ed947da02786cbf3a49d46a6d98ffa3432932c3c3058e14d91176b034

    • SSDEEP

      1536:XrcSe7xScnP2uIunmT5judIz/sF6VgCv6ix88jXr8d0DIe:XNef8dj6UeA28JDIe

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks