General
-
Target
Factura nºB-2542.exe
-
Size
988KB
-
Sample
241025-qedq9s1bnp
-
MD5
c89d5d369408ff5c12dd5a32035031b1
-
SHA1
393de5add6a79af460531dc7b2928575b77cc1e8
-
SHA256
58f9f743991ae34156110370b466d2d2a9d6b47f0719774dadaf7c7946b12995
-
SHA512
f6b96d942f511bb0793a2723e4990d5659f89077cfe61595385a7d7b0a72786d5d441fa18fad8decb180dfc9f5e4a2cc63066f393ffd8b6b6b1d26c1fcb7ef1d
-
SSDEEP
12288:lBu+je2mxUPA/sSInOP2/Ob6Aqxc8jYfNrnEoYhJLAMhuwIm/toWyqTnoXnPolx4:C+63xnION6qNr8xAGuwIm/yWiopvC9wG
Static task
static1
Behavioral task
behavioral1
Sample
Factura nºB-2542.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Factura nºB-2542.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Augustinermunken.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Augustinermunken.ps1
Resource
win10v2004-20241007-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
Escaragol?24
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
Escaragol?24 - Email To:
[email protected]
Targets
-
-
Target
Factura nºB-2542.exe
-
Size
988KB
-
MD5
c89d5d369408ff5c12dd5a32035031b1
-
SHA1
393de5add6a79af460531dc7b2928575b77cc1e8
-
SHA256
58f9f743991ae34156110370b466d2d2a9d6b47f0719774dadaf7c7946b12995
-
SHA512
f6b96d942f511bb0793a2723e4990d5659f89077cfe61595385a7d7b0a72786d5d441fa18fad8decb180dfc9f5e4a2cc63066f393ffd8b6b6b1d26c1fcb7ef1d
-
SSDEEP
12288:lBu+je2mxUPA/sSInOP2/Ob6Aqxc8jYfNrnEoYhJLAMhuwIm/toWyqTnoXnPolx4:C+63xnION6qNr8xAGuwIm/yWiopvC9wG
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Accesses Microsoft Outlook profiles
-
Blocklisted process makes network request
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Augustinermunken.Tja
-
Size
52KB
-
MD5
57e9c285fe348d5cdc4d72511ab0eb1c
-
SHA1
cff3a7310a7493adf99b4d7243732e285f104389
-
SHA256
d92dc24d51ddcc60756a2b6cd78c26eefe27b8742d94007336f0ef486d842253
-
SHA512
7259f5f06cc5acda7f6a1c044d9f18af928e32dbc212ac35b8136f6f179eb1b53e96a570330ee1420e6292c194e479b8c7154c28c76d24f74c4c7650eb60b4b0
-
SSDEEP
1536:CpNLh34TFAmz6+7c/tsNVnNVDeC+MnMDkSP:IF9pmmwNTdeC+MMISP
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-