General

  • Target

    c9f7cbb4a9e4e0db0e717cd71d3b5e5162544866bc7c74cde42fb9240cf193db.exe

  • Size

    1.2MB

  • Sample

    241109-d6c8lawhql

  • MD5

    cfd68f7d943d702ade1744a68308f0ca

  • SHA1

    7e7bb8ff7a01ace1cee4b93d087bfad75aaefa0c

  • SHA256

    c9f7cbb4a9e4e0db0e717cd71d3b5e5162544866bc7c74cde42fb9240cf193db

  • SHA512

    9a198311992a149e0974d2187be2838a3ed969d284e0722e5a3ddb576c80f0d8eaed6b25683f10ffff8ccfb6bcfcc58ae4ce95747ce8c24e8100387f13f3b7e6

  • SSDEEP

    24576:voqqHmQ2mlKCS22++Gpk3C99ZwYAKImqcSb7CkSE9bXy2pf3zxFTB:voZmQ7N25Gpk3CqvTHcQC3E97xF3zTV

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      c9f7cbb4a9e4e0db0e717cd71d3b5e5162544866bc7c74cde42fb9240cf193db.exe

    • Size

      1.2MB

    • MD5

      cfd68f7d943d702ade1744a68308f0ca

    • SHA1

      7e7bb8ff7a01ace1cee4b93d087bfad75aaefa0c

    • SHA256

      c9f7cbb4a9e4e0db0e717cd71d3b5e5162544866bc7c74cde42fb9240cf193db

    • SHA512

      9a198311992a149e0974d2187be2838a3ed969d284e0722e5a3ddb576c80f0d8eaed6b25683f10ffff8ccfb6bcfcc58ae4ce95747ce8c24e8100387f13f3b7e6

    • SSDEEP

      24576:voqqHmQ2mlKCS22++Gpk3C99ZwYAKImqcSb7CkSE9bXy2pf3zxFTB:voZmQ7N25Gpk3CqvTHcQC3E97xF3zTV

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Accesses Microsoft Outlook profiles

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Fiskerettens.udk

    • Size

      52KB

    • MD5

      faf341db23ab218989520cdb488bd287

    • SHA1

      dea8d00a028dbf3db1e4dc43c78f4953146a5512

    • SHA256

      31986b7f9a99a42e3d59c24fa9a3530f7436f99ed3c7651f04debd3f62c44a89

    • SHA512

      99bdfe35735c579102859774c3bd0809858d9628b3691ad4a9955016822139fe96f1921eed5d7dc57350faf6fbb4ba4f820278b04bb22ff88dcfefa2909da79f

    • SSDEEP

      1536:We4ji4ZMCyENUaKEqfmM8PTjcHrhIU8Nmp42:8nR3KhmZLjcHOXYH

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks