General

  • Target

    248ee27dc6af4db223815e90c43103f7d96462a2ce88c0cfbfa2b25673c90ac2.exe

  • Size

    1008KB

  • Sample

    241106-rgpf8asbpn

  • MD5

    ddb90d73f21bb04d0a0701542efc6a3c

  • SHA1

    fc3f21cba36333991d3d417be080e28718f08bde

  • SHA256

    248ee27dc6af4db223815e90c43103f7d96462a2ce88c0cfbfa2b25673c90ac2

  • SHA512

    74aa87dfc14b0f3390ea64fd50e19e5e8eddaf41abcec7b45334468aedf6ecce65ece411e46a6481104e1ca99fa40e925e1f8fab19c9b677c97d8c5057748d1f

  • SSDEEP

    12288:tqisoX8Q/V9qa5ZwLuEbimk3RjzF6rWowo3lItWMTCJqCOll:RHsQ9ovLSvcrh9+tW40O7

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      248ee27dc6af4db223815e90c43103f7d96462a2ce88c0cfbfa2b25673c90ac2.exe

    • Size

      1008KB

    • MD5

      ddb90d73f21bb04d0a0701542efc6a3c

    • SHA1

      fc3f21cba36333991d3d417be080e28718f08bde

    • SHA256

      248ee27dc6af4db223815e90c43103f7d96462a2ce88c0cfbfa2b25673c90ac2

    • SHA512

      74aa87dfc14b0f3390ea64fd50e19e5e8eddaf41abcec7b45334468aedf6ecce65ece411e46a6481104e1ca99fa40e925e1f8fab19c9b677c97d8c5057748d1f

    • SSDEEP

      12288:tqisoX8Q/V9qa5ZwLuEbimk3RjzF6rWowo3lItWMTCJqCOll:RHsQ9ovLSvcrh9+tW40O7

    • Guloader family

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      6ad39193ed20078aa1b23c33a1e48859

    • SHA1

      95e70e4f47aa1689cc08afbdaef3ec323b5342fa

    • SHA256

      b9631423a50c666faf2cc6901c5a8d6eb2fecd306fdd2524256b7e2e37b251c2

    • SHA512

      78c89bb8c86f3b68e5314467eca4e8e922d143335081fa66b01d756303e1aec68ed01f4be7098dbe06a789ca32a0f31102f5ba408bc5ab28e61251611bb4f62b

    • SSDEEP

      96:qIsUxO9udx4qYp7AJb76BykUbQMtHUOA5Iv+RnsrqeXV+d1g2IW9t2c+cEwF9Fug:ZVL7ikJb76BQUoUm+RnyXVYO2RvHFug

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks