Overview

overview

10

Static

static

1

df90131c24...05.exe

windows7-x64

8

df90131c24...05.exe

windows10-2004-x64

10

Kmpehjenes.ps1

windows7-x64

3

Kmpehjenes.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    df90131c240ef4e9b9079e271d16bb1fa5d797ba57a227eb1883814f35358005.exe

  • Size

    778KB

  • Sample

    241031-ejhega1lak

  • MD5

    a992bbd745fa0540c9b12c43f871be00

  • SHA1

    0435dd15bfd760449e06c1dd2413a4963539ff27

  • SHA256

    df90131c240ef4e9b9079e271d16bb1fa5d797ba57a227eb1883814f35358005

  • SHA512

    fdbd173fcaec5728117e5a5de3382b5da110f61799571f60cbf755047b77c9024a638ad558a47316b300a0b7f2053baa05d321f76b09459ce05932d985299737

  • SSDEEP

    24576:zr5Ob+mp4ZW3/EYSdCVNF45yRQLvf81BV2m6ionDuf:SGW3GC/e5yiX8HuD+

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      df90131c240ef4e9b9079e271d16bb1fa5d797ba57a227eb1883814f35358005.exe

    • Size

      778KB

    • MD5

      a992bbd745fa0540c9b12c43f871be00

    • SHA1

      0435dd15bfd760449e06c1dd2413a4963539ff27

    • SHA256

      df90131c240ef4e9b9079e271d16bb1fa5d797ba57a227eb1883814f35358005

    • SHA512

      fdbd173fcaec5728117e5a5de3382b5da110f61799571f60cbf755047b77c9024a638ad558a47316b300a0b7f2053baa05d321f76b09459ce05932d985299737

    • SSDEEP

      24576:zr5Ob+mp4ZW3/EYSdCVNF45yRQLvf81BV2m6ionDuf:SGW3GC/e5yiX8HuD+

    Score
    10/10
    discoveryexecutionvipkeyloggercollectionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Kmpehjenes.unt

    • Size

      54KB

    • MD5

      43597781601bc20d50b9471e00d7dd55

    • SHA1

      e2f85d659088f7a8dbac0a01cb6b369ea081bb0b

    • SHA256

      4c010add8f075a98219cfdaea2b8b7cbd6a1d2f596045561916e2c1da7c67631

    • SHA512

      be044aaaa9f586318809942495b269ae8dbabd4aeaf4c2c5b70ed51787141bc8cd0ccf4a4fed2921ed3108e1e6edbfdc61b704252631aa2504926bbcd64361ee

    • SSDEEP

      1536:xheJwDvcGy850uvpiIxAM6itrfxgjmpbiCluD/f3LUQB4H2y:uJMkZapQMx7qmNioqX/SD

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks