General

  • Target

    BOLUDA CORPORACIÓN MARÍTIMA, S.L. PEDIDO 268e44.vbs

  • Size

    526KB

  • Sample

    241022-lz664a1gjj

  • MD5

    7b8f65c95deba3838f09c3c5e8f06c0c

  • SHA1

    23f1d2f39788402c16ba1f5d6932eb4bef6df983

  • SHA256

    da852e6aeab8c6422eecc57d741aae2a49abd26ee2d29185c0fa8f898f4bdf71

  • SHA512

    dd47543459445da9edbb596e987472eac6408159af6ddd55b174896cd6fb3b90f1ba8229d26ca7ebd6fff46b27a6ed7bfa1fc19d805e8c9bd7c0131a7bcf39ba

  • SSDEEP

    6144:RV/75X5P9mqNDV7MbA9hftqVDrITVFWCTf90ieURGrMDI1xFz0zhdwu07QBmU1oI:9L/NhVQRI5FL9fTRMzKwuk41omig

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      BOLUDA CORPORACIÓN MARÍTIMA, S.L. PEDIDO 268e44.vbs

    • Size

      526KB

    • MD5

      7b8f65c95deba3838f09c3c5e8f06c0c

    • SHA1

      23f1d2f39788402c16ba1f5d6932eb4bef6df983

    • SHA256

      da852e6aeab8c6422eecc57d741aae2a49abd26ee2d29185c0fa8f898f4bdf71

    • SHA512

      dd47543459445da9edbb596e987472eac6408159af6ddd55b174896cd6fb3b90f1ba8229d26ca7ebd6fff46b27a6ed7bfa1fc19d805e8c9bd7c0131a7bcf39ba

    • SSDEEP

      6144:RV/75X5P9mqNDV7MbA9hftqVDrITVFWCTf90ieURGrMDI1xFz0zhdwu07QBmU1oI:9L/NhVQRI5FL9fTRMzKwuk41omig

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks