vipkeylogger

General

Target

2d3d809456f1b8181541bafb523c4ec83b4c4a4183378da9d9bd7b8d23aa79aa.exe
Size

657KB
Sample

241106-ctf82sshqg
MD5

8b1f6297418f5bf0ac5aadee8483365a
SHA1

19c4af87dce3d41ee970c205f49c34e05610dedd
SHA256

2d3d809456f1b8181541bafb523c4ec83b4c4a4183378da9d9bd7b8d23aa79aa
SHA512

202ec5769889bc9618498e6a64d59b0ef0a66e3fec75652fe2b9a0db70bc11e276631f1dc7f2237103db955ce6a1b106732335bb9bfa4ed0086b345d6066593d
SSDEEP

12288:v486zV9AmtTec4Hd69GRs5ljIW0ep9Rr2M/iTGYqWofv1zSFXMhuV+7+bp:v16zDADsuklECyCiuW095ugcp

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.turktav.com
Port:
587
Username:
[email protected]
Password:
)d!s~MV@X;!M
Email To:
[email protected]

Targets

- Target
  
  2d3d809456f1b8181541bafb523c4ec83b4c4a4183378da9d9bd7b8d23aa79aa.exe
- Size
  
  657KB
- MD5
  
  8b1f6297418f5bf0ac5aadee8483365a
- SHA1
  
  19c4af87dce3d41ee970c205f49c34e05610dedd
- SHA256
  
  2d3d809456f1b8181541bafb523c4ec83b4c4a4183378da9d9bd7b8d23aa79aa
- SHA512
  
  202ec5769889bc9618498e6a64d59b0ef0a66e3fec75652fe2b9a0db70bc11e276631f1dc7f2237103db955ce6a1b106732335bb9bfa4ed0086b345d6066593d
- SSDEEP
  
  12288:v486zV9AmtTec4Hd69GRs5ljIW0ep9Rr2M/iTGYqWofv1zSFXMhuV+7+bp:v16zDADsuklECyCiuW095ugcp
Score

10^/10

discovery execution vipkeylogger collection keylogger stealer
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Accesses Microsoft Outlook profiles
  collection
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  otherworldly.Kas
- Size
  
  54KB
- MD5
  
  df1cc5262f98c2cf7f51cc5ed85528d7
- SHA1
  
  3d9b2293d194ce127b040b28099591b197b18978
- SHA256
  
  c547c1878b7c38fddc357939a52c840910f36b31c6a720af9a125c91eaaed735
- SHA512
  
  8612721272dc45dc7b3ddad450ac8f66c48a458d249ff0c1adc5582f10daa644a05511c4837931490677c7c6b9d495d905bc610e4abd62b97c083804747c6b82
- SSDEEP
  
  768:OvKcT9rR6ufYsYkYSow0DzhWYeTAISjcrQ6GXtvyRmVM7OgiQcfXkZOE4WD9ivaJ:OvhT9l63xrXV5gAP/xbVM7uOOI99
Score

8^/10

execution persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4