General
-
Target
125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1
-
Size
859KB
-
Sample
241201-tj19xaznfn
-
MD5
47fd98348b7d314e4e9dae46e5f1e1a1
-
SHA1
cafe48404707e61235bfbe6646d8072af4298e21
-
SHA256
125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1
-
SHA512
8a1deda7d7e8e80d8b2e62ad0d9d4400b1d865ea322955e577fc439a8a0f1d6d3cb912397ecb6458941fd7fd566c1fdbdf4c4ed02c72234fa543bfcb45db845a
-
SSDEEP
12288:l9/IyjazmRR+BZhOLlpJjdCPwwdw6ETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZzz:/A/KqZhOnJdyzp+alCJmvulW6Nd0vo
Static task
static1
Behavioral task
behavioral1
Sample
125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Paraffinerer.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Paraffinerer.ps1
Resource
win10v2004-20241007-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
pW@4G()=#2
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
pW@4G()=#2 - Email To:
[email protected]
Targets
-
-
Target
125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1
-
Size
859KB
-
MD5
47fd98348b7d314e4e9dae46e5f1e1a1
-
SHA1
cafe48404707e61235bfbe6646d8072af4298e21
-
SHA256
125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1
-
SHA512
8a1deda7d7e8e80d8b2e62ad0d9d4400b1d865ea322955e577fc439a8a0f1d6d3cb912397ecb6458941fd7fd566c1fdbdf4c4ed02c72234fa543bfcb45db845a
-
SSDEEP
12288:l9/IyjazmRR+BZhOLlpJjdCPwwdw6ETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZzz:/A/KqZhOnJdyzp+alCJmvulW6Nd0vo
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Accesses Microsoft Outlook profiles
-
Blocklisted process makes network request
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Paraffinerer.Dej
-
Size
53KB
-
MD5
6f2c225ff02a35f64c6157286f9e90b1
-
SHA1
fdfb286088fd3cb3c3fa39f39e2e7ba48b3c6624
-
SHA256
0f4caa809a6b9ad70a305958af34e60b82f3080bbb7067f316ca85702ffba443
-
SHA512
c5fb4eafb4c29b774648bcec26736ad0808815d10618c95b723de9296240e6f9cbc35e90cc4439266f013810f16dde0f44a840fa928d8be2a8562cc5ac8d2eb5
-
SSDEEP
1536:qBW8/PWnOQz17PFJoL9Wt34bzGFC3fm5Xa5Z9YwsklLt7:qj/PWnOa7NG9034fGQ3fmFTI7
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-