General

  • Target

    21102024_1417_21102024_FACTURA DE PAGO.rar

  • Size

    766KB

  • Sample

    241021-rlv5kaxapd

  • MD5

    00c6d3228305595793f50fd6f98eec96

  • SHA1

    04b4fb2250e5ccb58792945691950722b1c2fdcf

  • SHA256

    616abd2ed328e20483922ab0a20a08d50b4da494b2e818815c326a1fa52213dc

  • SHA512

    71d9ce384d6a7a8fbd9ce0492694c191a8321aae845049d62700e47e8332f2d016940b50f6d83885f1c94c996f9d059134eff997e0b4d5648313d93e1b32b40c

  • SSDEEP

    12288:DEi4aktdMTKUaA3k3iSreoFEavQAhv27lv2loWQdPdopYKQkX2TcF42upC44qn9v:DEVvtWfaAU3inoW5Ahv4lOozdPdmnmXb

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      FACTURA DE PAGO.exe

    • Size

      859KB

    • MD5

      de02502f79bc183714a9dfe879831170

    • SHA1

      c1fd975e0df663fd49e86ae1453d0ad3eccacea8

    • SHA256

      9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718

    • SHA512

      c921e2e02ed0969ad66ae503e3cc83d0e2a3c3d6d43814c8b31c3b8606cde77e6f39c9a4b41088c0718b182a84dc29cae5f609dff872e98dcd00ef28c58b6415

    • SSDEEP

      12288:l9LVa31WR5y/seQ/33WcLvfLn/ETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZz0maD:/D5y/+/vfD/+alCJmvulW6Nd0vD

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Accesses Microsoft Outlook profiles

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Udlaanslofterne/Incuss.Pen

    • Size

      52KB

    • MD5

      f9bb610fdaf3e9fb1b4faa9ffddfab51

    • SHA1

      b0858761694b149c52d79d915d24d6d8fe161d14

    • SHA256

      9aaa17344e82a1134ff2b6c6e1eee773f703fd9f110b9b58fdfb87824f5def78

    • SHA512

      34f0f7ce7e4cbeb1ce0b699cfc97e5f6619dcd238fba0d9b30645d4fbc4ad5d97149355703568484b5110c621acd8eb1a0fb748359d4473cd7bf4b85235def54

    • SSDEEP

      768:y8ydwJkymbROj2OT/UOomJZlXFpMI7k9D1Og/7wVKlMhVaPCQc2jVT:y8ycmd0DUOoGXFZKcg8OmVuD5

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks