vipkeylogger | 98e999b9e6771e3f4dd54455ece73c011dea3c7f93ae9a75932b2a0a08765f25 | Triage

Sharing

General

Target

22102024_1632_22102024_NUEVOORDEN.rar
Size

244KB
Sample

241022-t6m1ssvcnb
MD5

d9e57e01341093d4b0800e69f78d1b74
SHA1

51a9f222154602bea3a6c265e88d7ecbb8289d6b
SHA256

98e999b9e6771e3f4dd54455ece73c011dea3c7f93ae9a75932b2a0a08765f25
SHA512

aa618ab26995c2ce3975ce2155425b85de16d2251e3fa6df0e86b6838bd57ae90852baf26c99fe14f7412a60b21c03d351cb586ccb21a1513524a9130bbea7c8
SSDEEP

6144:4vaHixAVgdnOaIJb4awyhCAtD5TsHsWjJb98LJaDZT+F:oaCOVg89cyBDGMWjVuLJaFiF

Score

10^/10

vipkeylogger collection discovery execution keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
smtp.ionos.es
Port:
587
Username:
[email protected]
Password:
1446010
Email To:
[email protected]

Targets

- Target
  
  NUEVO ORDEN.vbs
- Size
  
  525KB
- MD5
  
  2358bb1bd8cf609df9f1917cf4224194
- SHA1
  
  45e0ca20b16c048979d95b59f40475f8fa282e32
- SHA256
  
  982fc9bb4315f9e7114479b0a684873cbdc9e99ed75d96a342fd46235f59e84e
- SHA512
  
  c2c0e324c07f027edb5e6c34ce368b7d3387fddf6078e5e17c80efa9211381ff58dc27acc22511d0d9f0775b08a43eabfbd7a00061d9f6a3689d3c07a23e9230
- SSDEEP
  
  6144:By/7hX57oFbgZQmRmM0rdGqqgLpjDLkB8Gj+xJ9HQ5/vyGVi4dAMuUnhbeDLttD6:kyRgiYgqSjDoB4x7w5XLduIeD53Vgzeg
Score

10^/10

vipkeylogger discovery execution keylogger stealer collection
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

vipkeyloggerdiscoveryexecutionkeyloggerstealer

behavioral2

vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer