General

  • Target

    BOLUDA CORPORACIÓN MARÍTIMA, S.L. PEDIDO 268e44.rar

  • Size

    244KB

  • Sample

    241022-nnxvdsvdml

  • MD5

    a2a161efeacc5732d0b9ccaeea257b27

  • SHA1

    6ea47417f192618f140b1913100072e9dae3aa7e

  • SHA256

    03db3703cccd05dbb958a438f99119539e0d31f5cf0c01a1d1690a866cb2b880

  • SHA512

    041713bdac7a2b701a04c149d84120184b71816cbf121cc0af38b9b47380db782fa6f13a176b16a86c83a5eafcb3093befe4101d007ce12ea9dc191edbcaf189

  • SSDEEP

    3072:BvuhPmej2QomryrXvthWPvr69BVJARdcB6aAOrlBadQ0z52HYaI2+39PXSjGDlqz:8meUbbvARdcIArPan524HBvqXDBJ

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      BOLUDA CORPORACIÓN MARÍTIMA, S.L. PEDIDO 268e44.vbs

    • Size

      526KB

    • MD5

      7b8f65c95deba3838f09c3c5e8f06c0c

    • SHA1

      23f1d2f39788402c16ba1f5d6932eb4bef6df983

    • SHA256

      da852e6aeab8c6422eecc57d741aae2a49abd26ee2d29185c0fa8f898f4bdf71

    • SHA512

      dd47543459445da9edbb596e987472eac6408159af6ddd55b174896cd6fb3b90f1ba8229d26ca7ebd6fff46b27a6ed7bfa1fc19d805e8c9bd7c0131a7bcf39ba

    • SSDEEP

      6144:RV/75X5P9mqNDV7MbA9hftqVDrITVFWCTf90ieURGrMDI1xFz0zhdwu07QBmU1oI:9L/NhVQRI5FL9fTRMzKwuk41omig

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks