General
-
Target
b14a6ae47087452c572290a6751d38060053a73ccb71116e36d0fd14f2b81930N
-
Size
896KB
-
Sample
241031-hm7ejstapj
-
MD5
a9db2d901fb8e35262182b9e58cfba30
-
SHA1
6dc3daeac04e38ed4862c7b5a06550aa71717265
-
SHA256
b14a6ae47087452c572290a6751d38060053a73ccb71116e36d0fd14f2b81930
-
SHA512
e1dfaa18e15e37884c866aa6b55344c2aefb03c56879ca669664e21204dbf577fedfc490a6c35a672577b263b328e01f8214a9da8c2f4e22833763685a87e24a
-
SSDEEP
12288:D5e/L/uXaJJmLdZtOC+sDiGpCJdJIKDurlKRFP7Pytafm6wY8yujWX6zZmvj1GQ:QbuXoJmLdb+sD96pD6lm7Pytae6/B1GQ
Static task
static1
Behavioral task
behavioral1
Sample
b14a6ae47087452c572290a6751d38060053a73ccb71116e36d0fd14f2b81930N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
b14a6ae47087452c572290a6751d38060053a73ccb71116e36d0fd14f2b81930N.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Kommuneplanlgninger.ps1
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Kommuneplanlgninger.ps1
Resource
win10v2004-20241007-en
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
Escaragol?24 - Email To:
[email protected]
Targets
-
-
Target
b14a6ae47087452c572290a6751d38060053a73ccb71116e36d0fd14f2b81930N
-
Size
896KB
-
MD5
a9db2d901fb8e35262182b9e58cfba30
-
SHA1
6dc3daeac04e38ed4862c7b5a06550aa71717265
-
SHA256
b14a6ae47087452c572290a6751d38060053a73ccb71116e36d0fd14f2b81930
-
SHA512
e1dfaa18e15e37884c866aa6b55344c2aefb03c56879ca669664e21204dbf577fedfc490a6c35a672577b263b328e01f8214a9da8c2f4e22833763685a87e24a
-
SSDEEP
12288:D5e/L/uXaJJmLdZtOC+sDiGpCJdJIKDurlKRFP7Pytafm6wY8yujWX6zZmvj1GQ:QbuXoJmLdb+sD96pD6lm7Pytae6/B1GQ
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Accesses Microsoft Outlook profiles
-
Blocklisted process makes network request
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Kommuneplanlgninger.Cal
-
Size
54KB
-
MD5
37f8dac13fd502b37cb27c3d3ab7d17c
-
SHA1
a8e70027ea884b6f95a162e89b70158d95bb6ba1
-
SHA256
a2881223a270ed0b58b34944023147103c75c0366780f060c9f41d8b637b35d1
-
SHA512
6a4537f4c6ebd2f17afc9bf197b390d045d3b9085deccdb8c91b57a1a9789d9680da4862d2136ad1c8070993a98e8a40a3b9220d54b26cc844bde71a034c686b
-
SSDEEP
1536:7e8gx+5Pfe89991Yq+nWXYgUQjUwb9mdsD2cmIcu4:ahAlfV991BiWX4FsXxmIw
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-