General

  • Target

    ALI HASSO - P02515 & P02518.exe

  • Size

    694KB

  • Sample

    241110-g4whya1gre

  • MD5

    964744dc0ee9f5fcb1c2d50553c1a080

  • SHA1

    b097808717cf2aed2109c0191b6a32471a97b1c5

  • SHA256

    25e63b30d14cfb8e34d5223ad2d2eee2d684603b5e74b91fdecd2ff9b8945066

  • SHA512

    9151bfa7447126013681209b92e46f8049a8bea2d09fb972a19942795d0a16274c191bbb654eb66465011da5260fc34c08b0eb456348ab377e5bde1aa90713f0

  • SSDEEP

    12288:sMwaWgmqtOAmk6kIATs0yjE8HELsQP04nwNtsgw3PgAeeVhGctH74:sMwaWgqkJIAw0yghs2f2Mobev74

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.foodex.com.pk
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    wajahat1975

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      ALI HASSO - P02515 & P02518.exe

    • Size

      694KB

    • MD5

      964744dc0ee9f5fcb1c2d50553c1a080

    • SHA1

      b097808717cf2aed2109c0191b6a32471a97b1c5

    • SHA256

      25e63b30d14cfb8e34d5223ad2d2eee2d684603b5e74b91fdecd2ff9b8945066

    • SHA512

      9151bfa7447126013681209b92e46f8049a8bea2d09fb972a19942795d0a16274c191bbb654eb66465011da5260fc34c08b0eb456348ab377e5bde1aa90713f0

    • SSDEEP

      12288:sMwaWgmqtOAmk6kIATs0yjE8HELsQP04nwNtsgw3PgAeeVhGctH74:sMwaWgqkJIAw0yghs2f2Mobev74

    • Guloader family

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      564bb0373067e1785cba7e4c24aab4bf

    • SHA1

      7c9416a01d821b10b2eef97b80899d24014d6fc1

    • SHA256

      7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

    • SHA512

      22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

    • SSDEEP

      192:nenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBDIwL:n8+Qlt70Fj/lQRY/9VjjfL

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks