General
-
Target
9b1f6b694a8757b419c04ccd6ade02b58db56952b45d3a70c02dfb9682ec9fdc.exe
-
Size
868KB
-
Sample
241023-b1pnbswfqq
-
MD5
c676d09741d75516a52593da851f8e81
-
SHA1
d240a1271f4a3a0380a550d7c34bbfc5e2f3212b
-
SHA256
9b1f6b694a8757b419c04ccd6ade02b58db56952b45d3a70c02dfb9682ec9fdc
-
SHA512
1f032edb87bf2f7333e74e2ff997c07731974163d6e961261aee24b5e1ee6b00e3fe451c77e2983b509959d8ca86979b29796de133b1832c463894f46bae5b80
-
SSDEEP
12288:l9Aw7LtaVYyyQiZ5Q20zMETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZz0ma2:/AmtaVYyyQijQ9g+alCJmvulW6Nd0v2
Static task
static1
Behavioral task
behavioral1
Sample
9b1f6b694a8757b419c04ccd6ade02b58db56952b45d3a70c02dfb9682ec9fdc.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9b1f6b694a8757b419c04ccd6ade02b58db56952b45d3a70c02dfb9682ec9fdc.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Melibiose.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Melibiose.ps1
Resource
win10v2004-20241007-en
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
Escaragol?24 - Email To:
[email protected]
Targets
-
-
Target
9b1f6b694a8757b419c04ccd6ade02b58db56952b45d3a70c02dfb9682ec9fdc.exe
-
Size
868KB
-
MD5
c676d09741d75516a52593da851f8e81
-
SHA1
d240a1271f4a3a0380a550d7c34bbfc5e2f3212b
-
SHA256
9b1f6b694a8757b419c04ccd6ade02b58db56952b45d3a70c02dfb9682ec9fdc
-
SHA512
1f032edb87bf2f7333e74e2ff997c07731974163d6e961261aee24b5e1ee6b00e3fe451c77e2983b509959d8ca86979b29796de133b1832c463894f46bae5b80
-
SSDEEP
12288:l9Aw7LtaVYyyQiZ5Q20zMETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZz0ma2:/AmtaVYyyQijQ9g+alCJmvulW6Nd0v2
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Accesses Microsoft Outlook profiles
-
Blocklisted process makes network request
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Melibiose.Spa
-
Size
53KB
-
MD5
1f737850c90e5d135b2a519df3ce86a4
-
SHA1
3d539ea4291810b1191eb671d8369b0cfa6d6f1d
-
SHA256
dbc22a96f5153282b6037375b64d01887dbf9b978dd5eada76eaba847d8e7a3f
-
SHA512
677a27533f8505de074c2237fba524f250c6db2c5a02b9b89341a49cd49ea6ccca1126d5964de025414fcf2fac58aee798f2c5c1536ab80a8ada088f1fd85996
-
SSDEEP
1536:PVYsfFw+Y9sUEAhh4Dp2UrjvFBnGOkrq3GyY6GBTU:dH97NNAhh4t2U3ZYarY6qTU
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-