General

  • Target

    001_215_EA2047939_202410210815.exe

  • Size

    867KB

  • Sample

    241022-pmah5svcpe

  • MD5

    25da279ad7ee7cc3b8d3e5cd5aa4b5b2

  • SHA1

    d1fc6cbe8d8cca235ed29de6b109a0cb951eb5f3

  • SHA256

    963d35a92ffdbbdd35c71fc392a73ce49e242ca1b80f94204ef714cc42bbf8d0

  • SHA512

    db074cfe6c006f194b8b4ca983fb83a88229beb229504c8eba07140fe490974e90dfe75b66b9c4d81bd319fdaaccc822473064771b7ac8d333012859f139498e

  • SSDEEP

    12288:l9Zwb4/I1H06OdtVQuqilUSDFOIBETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZz0W:/dPFtVtOIB+alCJmvulW6Nd0vu

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      001_215_EA2047939_202410210815.exe

    • Size

      867KB

    • MD5

      25da279ad7ee7cc3b8d3e5cd5aa4b5b2

    • SHA1

      d1fc6cbe8d8cca235ed29de6b109a0cb951eb5f3

    • SHA256

      963d35a92ffdbbdd35c71fc392a73ce49e242ca1b80f94204ef714cc42bbf8d0

    • SHA512

      db074cfe6c006f194b8b4ca983fb83a88229beb229504c8eba07140fe490974e90dfe75b66b9c4d81bd319fdaaccc822473064771b7ac8d333012859f139498e

    • SSDEEP

      12288:l9Zwb4/I1H06OdtVQuqilUSDFOIBETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZz0W:/dPFtVtOIB+alCJmvulW6Nd0vu

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Accesses Microsoft Outlook profiles

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Kontokurantens.Unc

    • Size

      50KB

    • MD5

      8a4da8bab6993bc24f8ba89b1a5035ba

    • SHA1

      0266616ebaff76b9027bdf4a52742bbb6d7dbf90

    • SHA256

      d19add8d848501931650d9c2f77d4519b15ffe2399a161dac88ea99c07f1b62d

    • SHA512

      1f604a65b0fb4543feab6eb9584aab3c47c5ebcabf251492c7be827e3c5d547f310ff05354bf30837fe8192be427c1855ec22783a0be14db15b40b1f05a13c50

    • SSDEEP

      1536:em3/0wJ5Bo29iuM2fkfAFr6+nw0JefyiwDs:/3/0EbiuRcot6Ocfyiwo

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks