General

  • Target

    125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1

  • Size

    859KB

  • Sample

    241201-tj19xaznfn

  • MD5

    47fd98348b7d314e4e9dae46e5f1e1a1

  • SHA1

    cafe48404707e61235bfbe6646d8072af4298e21

  • SHA256

    125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1

  • SHA512

    8a1deda7d7e8e80d8b2e62ad0d9d4400b1d865ea322955e577fc439a8a0f1d6d3cb912397ecb6458941fd7fd566c1fdbdf4c4ed02c72234fa543bfcb45db845a

  • SSDEEP

    12288:l9/IyjazmRR+BZhOLlpJjdCPwwdw6ETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZzz:/A/KqZhOnJdyzp+alCJmvulW6Nd0vo

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.ionos.es
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    pW@4G()=#2

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1

    • Size

      859KB

    • MD5

      47fd98348b7d314e4e9dae46e5f1e1a1

    • SHA1

      cafe48404707e61235bfbe6646d8072af4298e21

    • SHA256

      125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1

    • SHA512

      8a1deda7d7e8e80d8b2e62ad0d9d4400b1d865ea322955e577fc439a8a0f1d6d3cb912397ecb6458941fd7fd566c1fdbdf4c4ed02c72234fa543bfcb45db845a

    • SSDEEP

      12288:l9/IyjazmRR+BZhOLlpJjdCPwwdw6ETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZzz:/A/KqZhOnJdyzp+alCJmvulW6Nd0vo

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Accesses Microsoft Outlook profiles

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Paraffinerer.Dej

    • Size

      53KB

    • MD5

      6f2c225ff02a35f64c6157286f9e90b1

    • SHA1

      fdfb286088fd3cb3c3fa39f39e2e7ba48b3c6624

    • SHA256

      0f4caa809a6b9ad70a305958af34e60b82f3080bbb7067f316ca85702ffba443

    • SHA512

      c5fb4eafb4c29b774648bcec26736ad0808815d10618c95b723de9296240e6f9cbc35e90cc4439266f013810f16dde0f44a840fa928d8be2a8562cc5ac8d2eb5

    • SSDEEP

      1536:qBW8/PWnOQz17PFJoL9Wt34bzGFC3fm5Xa5Z9YwsklLt7:qj/PWnOa7NG9034fGQ3fmFTI7

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks