General

  • Target

    b14a6ae47087452c572290a6751d38060053a73ccb71116e36d0fd14f2b81930N

  • Size

    896KB

  • Sample

    241031-hm7ejstapj

  • MD5

    a9db2d901fb8e35262182b9e58cfba30

  • SHA1

    6dc3daeac04e38ed4862c7b5a06550aa71717265

  • SHA256

    b14a6ae47087452c572290a6751d38060053a73ccb71116e36d0fd14f2b81930

  • SHA512

    e1dfaa18e15e37884c866aa6b55344c2aefb03c56879ca669664e21204dbf577fedfc490a6c35a672577b263b328e01f8214a9da8c2f4e22833763685a87e24a

  • SSDEEP

    12288:D5e/L/uXaJJmLdZtOC+sDiGpCJdJIKDurlKRFP7Pytafm6wY8yujWX6zZmvj1GQ:QbuXoJmLdb+sD96pD6lm7Pytae6/B1GQ

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      b14a6ae47087452c572290a6751d38060053a73ccb71116e36d0fd14f2b81930N

    • Size

      896KB

    • MD5

      a9db2d901fb8e35262182b9e58cfba30

    • SHA1

      6dc3daeac04e38ed4862c7b5a06550aa71717265

    • SHA256

      b14a6ae47087452c572290a6751d38060053a73ccb71116e36d0fd14f2b81930

    • SHA512

      e1dfaa18e15e37884c866aa6b55344c2aefb03c56879ca669664e21204dbf577fedfc490a6c35a672577b263b328e01f8214a9da8c2f4e22833763685a87e24a

    • SSDEEP

      12288:D5e/L/uXaJJmLdZtOC+sDiGpCJdJIKDurlKRFP7Pytafm6wY8yujWX6zZmvj1GQ:QbuXoJmLdb+sD96pD6lm7Pytae6/B1GQ

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Accesses Microsoft Outlook profiles

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Kommuneplanlgninger.Cal

    • Size

      54KB

    • MD5

      37f8dac13fd502b37cb27c3d3ab7d17c

    • SHA1

      a8e70027ea884b6f95a162e89b70158d95bb6ba1

    • SHA256

      a2881223a270ed0b58b34944023147103c75c0366780f060c9f41d8b637b35d1

    • SHA512

      6a4537f4c6ebd2f17afc9bf197b390d045d3b9085deccdb8c91b57a1a9789d9680da4862d2136ad1c8070993a98e8a40a3b9220d54b26cc844bde71a034c686b

    • SSDEEP

      1536:7e8gx+5Pfe89991Yq+nWXYgUQjUwb9mdsD2cmIcu4:ahAlfV991BiWX4FsXxmIw

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks