General

  • Target

    0473ffcd0dbaddac6344a44a1ce59354f267e1f7c1db1b6eb670a48244e2c615

  • Size

    834KB

  • Sample

    241023-tntevs1dpn

  • MD5

    0ccd84494dff71f3ee7267b53069c826

  • SHA1

    678aaceb8ec8ca08e39f30ca1061330935d7ca54

  • SHA256

    0473ffcd0dbaddac6344a44a1ce59354f267e1f7c1db1b6eb670a48244e2c615

  • SHA512

    da46c9687291c1c0a729dc516cbeb6e8c1a76861ef3361d9233053f9d2f37450b81fc8ed5b02fcf8b09e52cb2970e1e2fcee98794e180c95398e7fb759360d19

  • SSDEEP

    24576:GaPv/3RuEwoxxppiCVs2oWfpVRRKKL3cU:G6v/BZxiCVs2RTRR1cU

Malware Config

Extracted

Family

vipkeylogger

Credentials
C2

https://api.telegram.org/bot7323823089:AAFBRsTW94zIpSoDS8yfGsotlQLqF2I6TU0/sendMessage?chat_id=5013849544

Targets

    • Target

      RFQ NO - NÚMERO DO PEDIDO 106673.exe

    • Size

      1.2MB

    • MD5

      9d1b974a38b19a833b69f2bfdc0688f8

    • SHA1

      cbdf6cf01a69f8477cfc50d1cc1490457d28d7f3

    • SHA256

      7ff42bacf844ade960d12cf1df99ce36be17f18903d2188e8de6d410033acaf1

    • SHA512

      884c2fb4bd1d8b97fc153c0cc8dbcd0cf9d4eb5ed741fc2d1cd409735fe3f41e7382a7dc2ed21415753b4b5dd89ec7849ff0e21144ec988ed7c4b5e4e623cd41

    • SSDEEP

      24576:ffmMv6Ckr7Mny5QLSvogytmuL2T1101DTxGQ8X:f3v+7/5QLCItmce11KTcQ8X

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks