Overview

overview

10

Static

static

1

JUSTIFICAN...24.exe

windows7-x64

8

JUSTIFICAN...24.exe

windows10-2004-x64

10

Scyphus/Ch...nt.ps1

windows7-x64

3

Scyphus/Ch...nt.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exe

  • Size

    762KB

  • Sample

    241028-n6fc3aygnp

  • MD5

    91ab88ebf2f83aa5c1b1979c37b9ffd3

  • SHA1

    463501f21d5062bfd8f5acb5efd3c8e387e0bb0d

  • SHA256

    94786b06c92a58b375e26bc1328492f06baed13f77e8140f8a2cc892883b4c1e

  • SHA512

    7823d581290e5e53b11320ada2fa88346a1ed58dbd19476f3ee7a6b1e4ec26e21fe841975d93133afc87f820e95844baad34449d0aa6ac20077f2d9123af3fc4

  • SSDEEP

    12288:EPpIEmdhqR0GV9XOOxg+Jf1PcezkBWIbyuwQL3OWntl81tTTZ/Oi5DwFyEionDu1:IpaCWGHXOOxgveC5yRQLvf81BV2m6iow

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exe

    • Size

      762KB

    • MD5

      91ab88ebf2f83aa5c1b1979c37b9ffd3

    • SHA1

      463501f21d5062bfd8f5acb5efd3c8e387e0bb0d

    • SHA256

      94786b06c92a58b375e26bc1328492f06baed13f77e8140f8a2cc892883b4c1e

    • SHA512

      7823d581290e5e53b11320ada2fa88346a1ed58dbd19476f3ee7a6b1e4ec26e21fe841975d93133afc87f820e95844baad34449d0aa6ac20077f2d9123af3fc4

    • SSDEEP

      12288:EPpIEmdhqR0GV9XOOxg+Jf1PcezkBWIbyuwQL3OWntl81tTTZ/Oi5DwFyEionDu1:IpaCWGHXOOxgveC5yRQLvf81BV2m6iow

    Score
    10/10
    discoveryexecutionvipkeyloggercollectionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Scyphus/Chefassistent.Tro

    • Size

      50KB

    • MD5

      41ba1786c8305fd337a4c1c154d091af

    • SHA1

      848c471b48a57010eb18a329a974c514fe3d4009

    • SHA256

      4fbbbd334722419f51ab3c5d956dd5feea3bc63dcd998bdc3cc987879de16d9f

    • SHA512

      8926c198c1060c4724891a6cf192749eb5ff7dbc202d2c255be2448c24b45a161380ab3a8ec31cffc4e4091886b6b44e498eb1fd69eb75ba0a205ea31c1edf74

    • SSDEEP

      768:POg5E387hPDUgeu80iz1ED+G5ZfSo5lxAn/edYO6dOa5UP4IcIKO/Y30fheGHuGn:1h4SiWFio5m/emCcIcye0RyvdG

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks