General

  • Target

    23102024_1333_22102024_PAGO FRAS. AGOSTO 2024..rar

  • Size

    821KB

  • Sample

    241023-qt1vcavbqp

  • MD5

    7c0c32313ef42dfccabc44463d748f73

  • SHA1

    e62e61c86aa36e8ed559d3a3580c4245e993152f

  • SHA256

    98a385cd6387d809e8b82d8634c542da05f43b977f5c0c57304df2ef725200fb

  • SHA512

    35ebcc0ed734d579d3b18a266fd7a34e3ce5607604e845274bfb2898b8ef8778a1b18034f34d27a73982d9dcb2a6316aaec0d7938648e3d24f05cb55f24d6c7e

  • SSDEEP

    12288:sk0eiMTI/uzNYJCbKx5IfEeNNN7RrLCcSsivedM0Qiu1YNt9tQlxdbK/y2TqwP6p:V0xMa1s65IfEeu9e23i2SEN4qs8v

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      PAGO FRAS. AGOSTO 2024..exe

    • Size

      900KB

    • MD5

      d2bb55d90b4fe13d981297c8f452e810

    • SHA1

      e35c73e93bef613a1aa1cb7707b8cde2489df897

    • SHA256

      a286c68d65f2582414caf8229aeaba8365d7b84de92c5da4c39b7482136b5271

    • SHA512

      875819a87d64cee9a3d9f4e9afb84adca711d72d7b8a5b3837cd22abff017e57434b8a0de7502118e2a16aaada2d3ab4d89a3cc8db0207d22278ae6046ef4547

    • SSDEEP

      24576:obu96/xtr62ldmWFZD6lm7Pytae6/B1Gl:vC3tmKZgm7OjGB1Gl

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Accesses Microsoft Outlook profiles

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Vesperkost.Ufo

    • Size

      53KB

    • MD5

      e35283bacb62d15976b5841105b466a1

    • SHA1

      0203661c08ae261483cd9da1c21d7173f8ea329d

    • SHA256

      d6a7990b9c733d4ba3b1b0d2e5e42dfa2253b22fe345f4870bf24686c516788d

    • SHA512

      9a0fbd409e74472330f6ec78e453af0825704d3d1f132657b6f8f32f738d51dc70a4124edade7c0fe3c6cc48c6774f8d822d4207d7e5f0879ae386df3e9521e6

    • SSDEEP

      1536:aU2++zktjXZ1gOBaa9pa5LXX4goZUxnIJu+OEK5Nl:BjJ1gf9Ln4rOxnp+O5Nl

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks