General
-
Target
ALI HASSO - P02515 & P02518.exe
-
Size
694KB
-
Sample
241110-g4whya1gre
-
MD5
964744dc0ee9f5fcb1c2d50553c1a080
-
SHA1
b097808717cf2aed2109c0191b6a32471a97b1c5
-
SHA256
25e63b30d14cfb8e34d5223ad2d2eee2d684603b5e74b91fdecd2ff9b8945066
-
SHA512
9151bfa7447126013681209b92e46f8049a8bea2d09fb972a19942795d0a16274c191bbb654eb66465011da5260fc34c08b0eb456348ab377e5bde1aa90713f0
-
SSDEEP
12288:sMwaWgmqtOAmk6kIATs0yjE8HELsQP04nwNtsgw3PgAeeVhGctH74:sMwaWgqkJIAw0yghs2f2Mobev74
Static task
static1
Behavioral task
behavioral1
Sample
ALI HASSO - P02515 & P02518.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
ALI HASSO - P02515 & P02518.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.foodex.com.pk - Port:
587 - Username:
[email protected] - Password:
wajahat1975
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.foodex.com.pk - Port:
587 - Username:
[email protected] - Password:
wajahat1975 - Email To:
[email protected]
Targets
-
-
Target
ALI HASSO - P02515 & P02518.exe
-
Size
694KB
-
MD5
964744dc0ee9f5fcb1c2d50553c1a080
-
SHA1
b097808717cf2aed2109c0191b6a32471a97b1c5
-
SHA256
25e63b30d14cfb8e34d5223ad2d2eee2d684603b5e74b91fdecd2ff9b8945066
-
SHA512
9151bfa7447126013681209b92e46f8049a8bea2d09fb972a19942795d0a16274c191bbb654eb66465011da5260fc34c08b0eb456348ab377e5bde1aa90713f0
-
SSDEEP
12288:sMwaWgmqtOAmk6kIATs0yjE8HELsQP04nwNtsgw3PgAeeVhGctH74:sMwaWgqkJIAw0yghs2f2Mobev74
-
Guloader family
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
12KB
-
MD5
564bb0373067e1785cba7e4c24aab4bf
-
SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1
-
SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
-
SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472
-
SSDEEP
192:nenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBDIwL:n8+Qlt70Fj/lQRY/9VjjfL
Score3/10 -
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2