Overview

overview

10

Static

static

1

774a43183f...34.exe

windows7-x64

8

774a43183f...34.exe

windows10-2004-x64

10

$_12_/Fantasising.bat

windows7-x64

1

$_12_/Fantasising.bat

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    774a43183f4153afcb5a1b2ed08490b443ff13d9d0d52c63bd140509d5b00434.exe

  • Size

    450KB

  • Sample

    241106-dehc8stgrm

  • MD5

    3ce3ee68163ba194a2fd3bed674e118f

  • SHA1

    7658a58176b120ef09dc1b7773a1eeb8ced2f70c

  • SHA256

    774a43183f4153afcb5a1b2ed08490b443ff13d9d0d52c63bd140509d5b00434

  • SHA512

    0f4bede978046e30979d9c14d55de0bb050531b204cab8fccecd677e5df78c743abd50be9aed26daf435f8b9b06e94af80ce0e71207cc843b050c9c967404853

  • SSDEEP

    12288:RTMsmvzoR9prfCyKERuxr2sN9cdPV+apV:RTMBAhfKEiig9qPVdV

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

vipkeylogger

Credentials
C2

https://api.telegram.org/bot7054311495:AAGRkcE01kFv5Hk9G-f-BKj6OWMZeFTXeCk/sendMessage?chat_id=6019867941

Targets

    • Target

      774a43183f4153afcb5a1b2ed08490b443ff13d9d0d52c63bd140509d5b00434.exe

    • Size

      450KB

    • MD5

      3ce3ee68163ba194a2fd3bed674e118f

    • SHA1

      7658a58176b120ef09dc1b7773a1eeb8ced2f70c

    • SHA256

      774a43183f4153afcb5a1b2ed08490b443ff13d9d0d52c63bd140509d5b00434

    • SHA512

      0f4bede978046e30979d9c14d55de0bb050531b204cab8fccecd677e5df78c743abd50be9aed26daf435f8b9b06e94af80ce0e71207cc843b050c9c967404853

    • SSDEEP

      12288:RTMsmvzoR9prfCyKERuxr2sN9cdPV+apV:RTMBAhfKEiig9qPVdV

    Score
    10/10
    discoveryexecutionvipkeyloggercollectionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $_12_/Fantasising.Bat

    • Size

      56KB

    • MD5

      0d22173b681028fd0c3a5c44555df8f2

    • SHA1

      ea5f6d4e22c39c05598c9b7b01713c09f4def959

    • SHA256

      726b2a8c8cb0387da0a5cec5acf004fb2358712b9cbfdafd3d4fdeee4d569837

    • SHA512

      a097b74ab495ce459e62e9937b1400037a25d4f42f5b9a9b87345d43b550625417f4aaa3bc1dc3a816b2b2184fe3c5ca53cf99881e617045726ca1844b76fc7d

    • SSDEEP

      768:Dk/yAKZ/qjdXKAyw59/M+dBcIO0epWo3C+FdZmcjnJe8vxuxrZtDVrAaqAOxibf9:g65/q9Kpw59Dg1p/3N08otZ5V8yai

    Score
    1/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks