vipkeylogger

General

Target

24359daec4a8fd5901889f2a45e5b8d783e07c3b63bb272caf94cbe08abefedd
Size

1004KB
Sample

241128-dep33syjgp
MD5

77a3d0c468799c3f4bb8474f07c0a42b
SHA1

94de634c11301f9fd5bd6590f57548f3b1da641b
SHA256

24359daec4a8fd5901889f2a45e5b8d783e07c3b63bb272caf94cbe08abefedd
SHA512

e26108248eff325f3e2e24d525f6f2bfa6dedfa501a5e33e51015aefb3c0415384ecf9c3063d3fb702acad46bda1033603746b6a1c5053e192f4120599106482
SSDEEP

24576:LBbK9XvkSSYCxyd6xgOIKImBUa96cEnEC/Mp:L89fAYxv7Kajg

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendMessage?chat_id=6236275763

Extracted

Family

xworm

Version

3.1

C2

69.174.99.6:7000

Mutex

ZMMi52bfIGvYY0Ok

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  OrderList.scr
- Size
  
  785KB
- MD5
  
  8d46e55973af1de9d60320eab1ea1fa2
- SHA1
  
  2b6e1e250f5601308ab09a8a5f5ad78b78c33985
- SHA256
  
  86865a4fa894a64051e0bd9134851d148576c2fc3b49e0621fb04553bb5632f5
- SHA512
  
  b51f517918b9b98a6d1720a73f02401e47bc4e9459ae316fcfdaa9eac300dfe873b6d775fb01f53fbd5547352de265a52d95700dc5470d604b1b2bb23840f029
- SSDEEP
  
  12288:rLkcoxg7v3qnC11ErwIhh0F4qwUgUny5QLtkxixMXdqLGU1gzf:ffmMv6Ckr7Mny5QLtk4xMNqFgzf
Score

10^/10

vipkeylogger collection discovery keylogger stealer
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Quotation.scr
- Size
  
  945KB
- MD5
  
  91808cc12b1db334c458e38174207aba
- SHA1
  
  6a7be345db82c710c129b7bf17a9633b92398482
- SHA256
  
  2b68138198f01ca60ce18eb72fc8c1268691bae2409dd56ab871d465a958c1dc
- SHA512
  
  771784a96c5bff6fd6ebca728aa634363bf5a13a8e0f907bb76524bfa8f4131e5aef1ed680604ff9131d4c6588386a9b2758f1b0501c9bd9484d645a3982a1ed
- SSDEEP
  
  12288:Jtb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSga5TiSRlHEKqEFJMr+6A:Jtb20pkaCqT5TBWgNQ7a9iS3EVE++6A
Score

10^/10

xworm discovery rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

1

T1217

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Vipkeylogger family

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Detect Xworm Payload

Xworm

Xworm family

Drops startup file

Executes dropped EXE

Loads dropped DLL

AutoIT Executable

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4