General

  • Target

    TicariXHesapXXzetiniz.exe

  • Size

    868KB

  • Sample

    241022-hsnjmaverq

  • MD5

    c676d09741d75516a52593da851f8e81

  • SHA1

    d240a1271f4a3a0380a550d7c34bbfc5e2f3212b

  • SHA256

    9b1f6b694a8757b419c04ccd6ade02b58db56952b45d3a70c02dfb9682ec9fdc

  • SHA512

    1f032edb87bf2f7333e74e2ff997c07731974163d6e961261aee24b5e1ee6b00e3fe451c77e2983b509959d8ca86979b29796de133b1832c463894f46bae5b80

  • SSDEEP

    12288:l9Aw7LtaVYyyQiZ5Q20zMETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZz0ma2:/AmtaVYyyQijQ9g+alCJmvulW6Nd0v2

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      TicariXHesapXXzetiniz.exe

    • Size

      868KB

    • MD5

      c676d09741d75516a52593da851f8e81

    • SHA1

      d240a1271f4a3a0380a550d7c34bbfc5e2f3212b

    • SHA256

      9b1f6b694a8757b419c04ccd6ade02b58db56952b45d3a70c02dfb9682ec9fdc

    • SHA512

      1f032edb87bf2f7333e74e2ff997c07731974163d6e961261aee24b5e1ee6b00e3fe451c77e2983b509959d8ca86979b29796de133b1832c463894f46bae5b80

    • SSDEEP

      12288:l9Aw7LtaVYyyQiZ5Q20zMETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZz0ma2:/AmtaVYyyQijQ9g+alCJmvulW6Nd0v2

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Accesses Microsoft Outlook profiles

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Melibiose.Spa

    • Size

      53KB

    • MD5

      1f737850c90e5d135b2a519df3ce86a4

    • SHA1

      3d539ea4291810b1191eb671d8369b0cfa6d6f1d

    • SHA256

      dbc22a96f5153282b6037375b64d01887dbf9b978dd5eada76eaba847d8e7a3f

    • SHA512

      677a27533f8505de074c2237fba524f250c6db2c5a02b9b89341a49cd49ea6ccca1126d5964de025414fcf2fac58aee798f2c5c1536ab80a8ada088f1fd85996

    • SSDEEP

      1536:PVYsfFw+Y9sUEAhh4Dp2UrjvFBnGOkrq3GyY6GBTU:dH97NNAhh4t2U3ZYarY6qTU

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks