Overview

overview

10

Static

static

3

Justificante.exe

windows7-x64

8

Justificante.exe

windows10-2004-x64

10

Jobation.ps1

windows7-x64

3

Jobation.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Justificante.exe

  • Size

    661KB

  • Sample

    241025-rpleja1cje

  • MD5

    8a9c90ba02c22e957bff42c02e6a4189

  • SHA1

    4fe3080dbf75f99fa64dbf4e35f08560d4b2ef0c

  • SHA256

    8e8286667afb0526fcc2959ef670d63dd0503b8b0914daa7e0905fa77d356628

  • SHA512

    de296476d773f0d61feb647376ee9f2131463bafb18243adcfd8ccd2e6b958ebf90294d24e09a1ef526ff8b25d8d6d291217766514d6cdd9f60afc8ed417bb50

  • SSDEEP

    12288:vc5+AfopdAeHHn7XpjIW0ep9Rr2M/iTGYqWofv1zSFXMhuV+7+bY:vZAaAeHHlECyCiuW095ugcY

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials
C2

https://api.telegram.org/bot7422104780:AAE8Q_pLcHk4fu5XIMEQar6JqYuE_1O_qCg/sendMessage?chat_id=7451270736

Targets

    • Target

      Justificante.exe

    • Size

      661KB

    • MD5

      8a9c90ba02c22e957bff42c02e6a4189

    • SHA1

      4fe3080dbf75f99fa64dbf4e35f08560d4b2ef0c

    • SHA256

      8e8286667afb0526fcc2959ef670d63dd0503b8b0914daa7e0905fa77d356628

    • SHA512

      de296476d773f0d61feb647376ee9f2131463bafb18243adcfd8ccd2e6b958ebf90294d24e09a1ef526ff8b25d8d6d291217766514d6cdd9f60afc8ed417bb50

    • SSDEEP

      12288:vc5+AfopdAeHHn7XpjIW0ep9Rr2M/iTGYqWofv1zSFXMhuV+7+bY:vZAaAeHHlECyCiuW095ugcY

    Score
    10/10
    discoveryexecutionvipkeyloggercollectionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Jobation.udk

    • Size

      51KB

    • MD5

      faace62892757e3f6b6bcdc07c3b75e0

    • SHA1

      1b0bcaaaf1c6b3aeaee3a7eef36f0a1776fb654b

    • SHA256

      6492bacab0fd62ad56b0c444c325f727653725a87fc221e2bb6baf8d56490f89

    • SHA512

      12f0d38ee61532c33c3618525163ed79bb5e51d21cb0d3e35db98b1b4e1cbb42b3569682b2cdd869592c8649e6e83a49e777704980bb207d9790692e59682bbc

    • SSDEEP

      768:Ete4F3/yydoeEGZgA55Gosv5DC8YVeUB3n1oiNgS3V0ORNfBaAVUjJF7PloejYSx:E3F3HdfN/PUQnaiqI0WBt2FZo9SVs2

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks