General
-
Target
ALI HASSO - P02515 & P02518.exe
-
Size
684KB
-
Sample
241107-r3kedsthlj
-
MD5
679962fd58f49f4d2f57a70a60aa287d
-
SHA1
3e3a3e5bc5e49ab7212e5ae5f340dd820fccd643
-
SHA256
422ea7c485f3c82c72b2adf62961cb61ded05226ceb12ec503bccba25e23886e
-
SHA512
597a1678322ade7c14d1181b9a2e4e09a7a9f841d5c2f3f0e0e64c40801eec25112dca1c5eaf53834dd1fdf8f5003f69d64e6cf5dd4ea46e42c73018690d4348
-
SSDEEP
12288:aMwa4IgEP4mLbAcLit9eIAnZ21gvG4nwNtsgw3PgAeeVhGctb7U:aMwa4BEP3Qc+t9eIAnEgB2Mobej7U
Static task
static1
Behavioral task
behavioral1
Sample
ALI HASSO - P02515 & P02518.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ALI HASSO - P02515 & P02518.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.foodex.com.pk - Port:
587 - Username:
[email protected] - Password:
wajahat1975
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.foodex.com.pk - Port:
587 - Username:
[email protected] - Password:
wajahat1975 - Email To:
[email protected]
Targets
-
-
Target
ALI HASSO - P02515 & P02518.exe
-
Size
684KB
-
MD5
679962fd58f49f4d2f57a70a60aa287d
-
SHA1
3e3a3e5bc5e49ab7212e5ae5f340dd820fccd643
-
SHA256
422ea7c485f3c82c72b2adf62961cb61ded05226ceb12ec503bccba25e23886e
-
SHA512
597a1678322ade7c14d1181b9a2e4e09a7a9f841d5c2f3f0e0e64c40801eec25112dca1c5eaf53834dd1fdf8f5003f69d64e6cf5dd4ea46e42c73018690d4348
-
SSDEEP
12288:aMwa4IgEP4mLbAcLit9eIAnZ21gvG4nwNtsgw3PgAeeVhGctb7U:aMwa4BEP3Qc+t9eIAnEgB2Mobej7U
-
Guloader family
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
12KB
-
MD5
564bb0373067e1785cba7e4c24aab4bf
-
SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1
-
SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
-
SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472
-
SSDEEP
192:nenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBDIwL:n8+Qlt70Fj/lQRY/9VjjfL
Score3/10 -
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2