General

  • Target

    d6b544f7fe973a0ec18dc6994869bbd97779b965a7bc999b11f1d590cff9707b.exe

  • Size

    560KB

  • Sample

    241203-dk8glssqbl

  • MD5

    376eba8de3fb318ec11efa037f8c0999

  • SHA1

    998079a01ea4b5af7d90b44e289ff3e61caaa6c2

  • SHA256

    d6b544f7fe973a0ec18dc6994869bbd97779b965a7bc999b11f1d590cff9707b

  • SHA512

    1113f67e131f0dc952f8168be4274f910e942992b6775daaa241f48e1852ceb10875d609d34fed41ac2b5ba845d34adf327a99eaa52a7be3dbf054876aae7496

  • SSDEEP

    6144:14t6Ls60mub8lmN1d/VJjbGTaQ8jY7dsO9sKL/urW09nSl6Mkmt4XzVkpmAZ51Mg:1kuicyCdsYsKLktnS5oVMmySMpQK7

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7689901861:AAEBNHwgb6W6VOFJWVPXuo-RFbpacsgCwQg/sendMessage?chat_id=7582232587

Targets

    • Target

      d6b544f7fe973a0ec18dc6994869bbd97779b965a7bc999b11f1d590cff9707b.exe

    • Size

      560KB

    • MD5

      376eba8de3fb318ec11efa037f8c0999

    • SHA1

      998079a01ea4b5af7d90b44e289ff3e61caaa6c2

    • SHA256

      d6b544f7fe973a0ec18dc6994869bbd97779b965a7bc999b11f1d590cff9707b

    • SHA512

      1113f67e131f0dc952f8168be4274f910e942992b6775daaa241f48e1852ceb10875d609d34fed41ac2b5ba845d34adf327a99eaa52a7be3dbf054876aae7496

    • SSDEEP

      6144:14t6Ls60mub8lmN1d/VJjbGTaQ8jY7dsO9sKL/urW09nSl6Mkmt4XzVkpmAZ51Mg:1kuicyCdsYsKLktnS5oVMmySMpQK7

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Accesses Microsoft Outlook profiles

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks