General

  • Target

    f3b82a629b1eff8b49edcfb38f2d0cbd0ef366a59a97264eb7b86373a45588c4.exe

  • Size

    694KB

  • Sample

    241203-dp89psxlbx

  • MD5

    42b3eeff606c41053b2b30e6df1baa87

  • SHA1

    8957ac95d71567ccf7d0efc28ddcc944352308d0

  • SHA256

    f3b82a629b1eff8b49edcfb38f2d0cbd0ef366a59a97264eb7b86373a45588c4

  • SHA512

    2646e4cd32e39c285be65eecab4bc6c6e92a1b5e5992ba53b5d4f062ddcde1b1a596773d2976442be6ed3be5d36144f4cf23caf665b248909aa1aee316b453b8

  • SSDEEP

    12288:IfL/UfibuJ2zMMzztVZK+u5YBCtKlQyYefZKSxA340ryKhzJ:IfL8fibuJ2/JVZZuaBCtjexKj3vR

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot8138030788:AAEti5Rsvkh3t9x1DE3f72xKiRnG5XE9PkI/sendMessage?chat_id=7844469787

Targets

    • Target

      f3b82a629b1eff8b49edcfb38f2d0cbd0ef366a59a97264eb7b86373a45588c4.exe

    • Size

      694KB

    • MD5

      42b3eeff606c41053b2b30e6df1baa87

    • SHA1

      8957ac95d71567ccf7d0efc28ddcc944352308d0

    • SHA256

      f3b82a629b1eff8b49edcfb38f2d0cbd0ef366a59a97264eb7b86373a45588c4

    • SHA512

      2646e4cd32e39c285be65eecab4bc6c6e92a1b5e5992ba53b5d4f062ddcde1b1a596773d2976442be6ed3be5d36144f4cf23caf665b248909aa1aee316b453b8

    • SSDEEP

      12288:IfL/UfibuJ2zMMzztVZK+u5YBCtKlQyYefZKSxA340ryKhzJ:IfL8fibuJ2/JVZZuaBCtjexKj3vR

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      7KB

    • MD5

      b4579bc396ace8cafd9e825ff63fe244

    • SHA1

      32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c

    • SHA256

      01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b

    • SHA512

      3a76e0e259a0ca12275fed922ce6e01bdfd9e33ba85973e80101b8025ef9243f5e32461a113bbcc6aa75e40894bb5d3a42d6b21045517b6b3cf12d76b4cfa36a

    • SSDEEP

      96:JwzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuH0DQ:JTQHDb2vSuOc41ZfUNQZGdHM

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks