Overview

overview

10

Static

static

1

f2a43dfd83...3a.exe

windows7-x64

8

f2a43dfd83...3a.exe

windows10-2004-x64

10

$_12_/Swanson.ps1

windows7-x64

3

$_12_/Swanson.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f2a43dfd835590b763acc7ee05f4763c0cb047f50d8a1b82ff4c56c528e9f73a.exe

  • Size

    443KB

  • Sample

    241105-syl8vswmhn

  • MD5

    eb54141b5e25102ff3b58c37705752ce

  • SHA1

    11a0cddab8eb1d02e56ae7431cd341308ab97d15

  • SHA256

    f2a43dfd835590b763acc7ee05f4763c0cb047f50d8a1b82ff4c56c528e9f73a

  • SHA512

    2a18299b04ef8d78b34081412858106471e480d253ce4b83ccda08368833e08fa739443e4b674e2b4e5ef0723b8ea4d0f6abfdb1d8af2711d00b384f53f6deae

  • SSDEEP

    12288:aTMfFqZXFzJOEL9GiKuULwuxr2sN9cdPV+a:aTMfFqxFkuK1LBig9qPV

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      f2a43dfd835590b763acc7ee05f4763c0cb047f50d8a1b82ff4c56c528e9f73a.exe

    • Size

      443KB

    • MD5

      eb54141b5e25102ff3b58c37705752ce

    • SHA1

      11a0cddab8eb1d02e56ae7431cd341308ab97d15

    • SHA256

      f2a43dfd835590b763acc7ee05f4763c0cb047f50d8a1b82ff4c56c528e9f73a

    • SHA512

      2a18299b04ef8d78b34081412858106471e480d253ce4b83ccda08368833e08fa739443e4b674e2b4e5ef0723b8ea4d0f6abfdb1d8af2711d00b384f53f6deae

    • SSDEEP

      12288:aTMfFqZXFzJOEL9GiKuULwuxr2sN9cdPV+a:aTMfFqxFkuK1LBig9qPV

    Score
    10/10
    discoveryexecutionvipkeyloggercollectionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $_12_/Swanson.Dru

    • Size

      53KB

    • MD5

      65bc8a11ffd407733d75db48b12391db

    • SHA1

      b526649bf4e91d4ef50ce1b57d07a701577da863

    • SHA256

      74912feae84ab608ad64d41ca97903d73a0da5b250bb333f41bea8fb73acfbd5

    • SHA512

      ec2187b6c90956b8c49238154a429b522ecbebba93bbfc788aa08eea13cb28f6632fcb14539911b577bfe19c7a6d9d0575d6fcb6a27eb35d8333172711eb07e3

    • SSDEEP

      1536:QTlgQpA2Yf12R34GPdTEBmA0cMSCmVCNzAeYV84eEl7RALA:QTWQpW2d4GPdgrMSCvZYeaSA

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks