General

  • Target

    ALI HASSO - P02515 & P02518.exe

  • Size

    684KB

  • Sample

    241107-r3kedsthlj

  • MD5

    679962fd58f49f4d2f57a70a60aa287d

  • SHA1

    3e3a3e5bc5e49ab7212e5ae5f340dd820fccd643

  • SHA256

    422ea7c485f3c82c72b2adf62961cb61ded05226ceb12ec503bccba25e23886e

  • SHA512

    597a1678322ade7c14d1181b9a2e4e09a7a9f841d5c2f3f0e0e64c40801eec25112dca1c5eaf53834dd1fdf8f5003f69d64e6cf5dd4ea46e42c73018690d4348

  • SSDEEP

    12288:aMwa4IgEP4mLbAcLit9eIAnZ21gvG4nwNtsgw3PgAeeVhGctb7U:aMwa4BEP3Qc+t9eIAnEgB2Mobej7U

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.foodex.com.pk
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    wajahat1975

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      ALI HASSO - P02515 & P02518.exe

    • Size

      684KB

    • MD5

      679962fd58f49f4d2f57a70a60aa287d

    • SHA1

      3e3a3e5bc5e49ab7212e5ae5f340dd820fccd643

    • SHA256

      422ea7c485f3c82c72b2adf62961cb61ded05226ceb12ec503bccba25e23886e

    • SHA512

      597a1678322ade7c14d1181b9a2e4e09a7a9f841d5c2f3f0e0e64c40801eec25112dca1c5eaf53834dd1fdf8f5003f69d64e6cf5dd4ea46e42c73018690d4348

    • SSDEEP

      12288:aMwa4IgEP4mLbAcLit9eIAnZ21gvG4nwNtsgw3PgAeeVhGctb7U:aMwa4BEP3Qc+t9eIAnEgB2Mobej7U

    • Guloader family

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      564bb0373067e1785cba7e4c24aab4bf

    • SHA1

      7c9416a01d821b10b2eef97b80899d24014d6fc1

    • SHA256

      7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

    • SHA512

      22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

    • SSDEEP

      192:nenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBDIwL:n8+Qlt70Fj/lQRY/9VjjfL

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks