General

  • Target

    831d910bffcfaebaea5b3ecd027acdef5c64ca9e5462b4b12f4f95abaf89d11b

  • Size

    817KB

  • Sample

    241022-tljsmsvhqm

  • MD5

    b1d177673ab0aadf64481d3059d998d3

  • SHA1

    7090cfbde48e3be7f2758b423876257fc86e7244

  • SHA256

    831d910bffcfaebaea5b3ecd027acdef5c64ca9e5462b4b12f4f95abaf89d11b

  • SHA512

    626efd450e969c84d6bbc7d78ede5ba2d59b4ca6d041ec3c7ff7b3f12ebf482bec6d4c252208447d85a17ff221874ecfa940cc9286c6e30b73bb54533200a25b

  • SSDEEP

    24576:n/zkH7OtxXqzpQKhK1xlJi53XJCiPzzeJYlXtuPz:7kHexVWKDlJ2MiboDz

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      Miljpaavirkningen.exe

    • Size

      895KB

    • MD5

      0327d3ca2373bdcfad29ae18a7554884

    • SHA1

      92ce0598c98f0ddc2ae136491f0e988ddcf29d49

    • SHA256

      eb60de90ee98dcc76c344d75d96f2eb72bd4466a504f2668a660ec928abf07e1

    • SHA512

      efdd810fab7b956116a99ba2d78e723474e14343c8cd5cde01ae8cb61a441aad14f516a151c530b42b7b8b1760405ca87c9415cbf53a541190c92e2250c751ee

    • SSDEEP

      12288:N5e/L/ujA9jjzAmiTs3QCXDzo3vKz/oByv268ODurlKRFP7Pytafm6wY8yujWX6d:abu0wmt43w/9268OD6lm7Pytae6/B1G5

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Accesses Microsoft Outlook profiles

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Kreditnotaens/Plettes.For

    • Size

      52KB

    • MD5

      ce0a682e2db6ee3b12ff901dd3bb16d8

    • SHA1

      d661a2f36066a9482a99c47c7773fc79161ea983

    • SHA256

      f73707d437fa4b1c7350b2eaf02faff3752d2267faa038e789fc3253aa08ae5e

    • SHA512

      75acea1f522ca924304dbaf44ce5732d04fe746c985edf2fe90e4de1ab036940f5f3a2cf76a0e8338f23014a1226de91af8b9c4aecfdb537a489b003b314f7c7

    • SSDEEP

      1536:wSzp6zgtCnDFOdY4ARI0LEvoaxTs7BdGiyn:wGp6zgtCnZOzARpLLaxw7BdGiK

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks