General

  • Target

    d47cf218c7f1a32c556e0501c3d1f00c420fa75ace47ad2b4fd6242aec388580.exe

  • Size

    632KB

  • Sample

    241109-d9c21awlfx

  • MD5

    95359158d57fb8ceb0093d85bdec58b4

  • SHA1

    50c7d83505c11307084313f5a6badb7dbf619b75

  • SHA256

    d47cf218c7f1a32c556e0501c3d1f00c420fa75ace47ad2b4fd6242aec388580

  • SHA512

    ab76232fb8252ed72f12c6ddef03b4cdfa729d89e9eb735e32d6a5bd9d202ab5b1690a0fdb28a36d345238ce3231b2789e75ae5a6e2d25af13cdbc6876a45cba

  • SSDEEP

    12288:ONBi378EzqgDY62EJNSGI4GoI2iJK06rNkRDjGQB7F0PgvD5Fb7q:ONg37HqO/hsGjIP4HNktGQMPgNpq

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      d47cf218c7f1a32c556e0501c3d1f00c420fa75ace47ad2b4fd6242aec388580.exe

    • Size

      632KB

    • MD5

      95359158d57fb8ceb0093d85bdec58b4

    • SHA1

      50c7d83505c11307084313f5a6badb7dbf619b75

    • SHA256

      d47cf218c7f1a32c556e0501c3d1f00c420fa75ace47ad2b4fd6242aec388580

    • SHA512

      ab76232fb8252ed72f12c6ddef03b4cdfa729d89e9eb735e32d6a5bd9d202ab5b1690a0fdb28a36d345238ce3231b2789e75ae5a6e2d25af13cdbc6876a45cba

    • SSDEEP

      12288:ONBi378EzqgDY62EJNSGI4GoI2iJK06rNkRDjGQB7F0PgvD5Fb7q:ONg37HqO/hsGjIP4HNktGQMPgNpq

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Analytiske.Ant

    • Size

      52KB

    • MD5

      64473712892d67203242c7904c6ffd81

    • SHA1

      72d869d49607487d0ae85da693aacc42709339e2

    • SHA256

      9c845196deca4a4738d5bee70cc2169f1dbec420b7d340b5d40642a41287a9a6

    • SHA512

      0c8ad907a17bda49371ebca2c4d390347c99c48c13c10c245691113aa087b3ea65fb0811ea623dcd4257f3cc0eca1615ce40d5e2b1cda623356a84e9c18b0383

    • SSDEEP

      1536:/5kp6eLO4rqfz/CetjrxBy9IiNS0DDMWOSq1+:yp61Dbaan8BDDMr31+

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks