General

  • Target

    Factura nºB-2542.exe

  • Size

    988KB

  • Sample

    241025-qedq9s1bnp

  • MD5

    c89d5d369408ff5c12dd5a32035031b1

  • SHA1

    393de5add6a79af460531dc7b2928575b77cc1e8

  • SHA256

    58f9f743991ae34156110370b466d2d2a9d6b47f0719774dadaf7c7946b12995

  • SHA512

    f6b96d942f511bb0793a2723e4990d5659f89077cfe61595385a7d7b0a72786d5d441fa18fad8decb180dfc9f5e4a2cc63066f393ffd8b6b6b1d26c1fcb7ef1d

  • SSDEEP

    12288:lBu+je2mxUPA/sSInOP2/Ob6Aqxc8jYfNrnEoYhJLAMhuwIm/toWyqTnoXnPolx4:C+63xnION6qNr8xAGuwIm/yWiopvC9wG

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.ionos.es
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Escaragol?24

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      Factura nºB-2542.exe

    • Size

      988KB

    • MD5

      c89d5d369408ff5c12dd5a32035031b1

    • SHA1

      393de5add6a79af460531dc7b2928575b77cc1e8

    • SHA256

      58f9f743991ae34156110370b466d2d2a9d6b47f0719774dadaf7c7946b12995

    • SHA512

      f6b96d942f511bb0793a2723e4990d5659f89077cfe61595385a7d7b0a72786d5d441fa18fad8decb180dfc9f5e4a2cc63066f393ffd8b6b6b1d26c1fcb7ef1d

    • SSDEEP

      12288:lBu+je2mxUPA/sSInOP2/Ob6Aqxc8jYfNrnEoYhJLAMhuwIm/toWyqTnoXnPolx4:C+63xnION6qNr8xAGuwIm/yWiopvC9wG

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Accesses Microsoft Outlook profiles

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Augustinermunken.Tja

    • Size

      52KB

    • MD5

      57e9c285fe348d5cdc4d72511ab0eb1c

    • SHA1

      cff3a7310a7493adf99b4d7243732e285f104389

    • SHA256

      d92dc24d51ddcc60756a2b6cd78c26eefe27b8742d94007336f0ef486d842253

    • SHA512

      7259f5f06cc5acda7f6a1c044d9f18af928e32dbc212ac35b8136f6f179eb1b53e96a570330ee1420e6292c194e479b8c7154c28c76d24f74c4c7650eb60b4b0

    • SSDEEP

      1536:CpNLh34TFAmz6+7c/tsNVnNVDeC+MnMDkSP:IF9pmmwNTdeC+MMISP

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks