General

  • Target

    a4956913217c76927966d7f96d647a087749705a1d45d17a11e19f2a707fd9e7

  • Size

    886KB

  • Sample

    241023-yw7dxazcnj

  • MD5

    87b6b9152413a1494d2b76fd31ba9691

  • SHA1

    dbd36c622142cd929deb87892a96b9331161f661

  • SHA256

    a4956913217c76927966d7f96d647a087749705a1d45d17a11e19f2a707fd9e7

  • SHA512

    98d4839a46c8aee23f08c60a2440827330458695f44ea9f0a429df5ca961acdf456a68244925b6802d4107e19d294e025b3d631db789d6c624f57b1b4a1a3f57

  • SSDEEP

    24576:OVzql6BXY56sFN5aobDWJGiOFCLdi9hdTtcp14lZ0:OVq56uaoXWo3aehdT6kQ

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.ionos.es
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    #BOYS_2019_ToNa#

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      justificante de pago.exe

    • Size

      990KB

    • MD5

      d3c00b7eda8c538a2938610398e69a74

    • SHA1

      cd93e03dc64c2064d0aa586e00a00f9c99ea36bc

    • SHA256

      2e2dd6f6dd471723ad206f6b8f154f3a84aba592e2838942b5e35b4378522ef4

    • SHA512

      719c03d1ded02334f1f74812f8e4a193f9028291eb190d4e241b4b34b055c6c7deef31bf33bea047a551ee14df35443a6cefe294907ac87b0918dade5f470837

    • SSDEEP

      24576:J+63+OSOWAnNN591nNr8xAGuwIm/yWiopvC9wF:J+tOSqnNN591S/RaWi6MwF

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Accesses Microsoft Outlook profiles

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Fyldiges.Tid

    • Size

      53KB

    • MD5

      dbe1380eb686fc84a3cd87ee84077382

    • SHA1

      66a6b15521a3affc3d9b893554475078f41224a0

    • SHA256

      b05d49191a62ec38497b0ae6378c984ac2013d6fec29b62d94299d88f5d5d279

    • SHA512

      84987e2a263284df3d365caed6b549c93f23ad0982ffa7b8acfd21562c68ad1a2b198a47b2877e6ef4c4d679fe710cefa2df0de37a303a64838ac1b796d9335c

    • SSDEEP

      1536:S5OtREySF0zWeeIsGsnhPqsw7XKIVoR9Fj:S5OtREyxWegnhPq3s9Z

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks