General
-
Target
f3b82a629b1eff8b49edcfb38f2d0cbd0ef366a59a97264eb7b86373a45588c4.exe
-
Size
694KB
-
Sample
241203-dp89psxlbx
-
MD5
42b3eeff606c41053b2b30e6df1baa87
-
SHA1
8957ac95d71567ccf7d0efc28ddcc944352308d0
-
SHA256
f3b82a629b1eff8b49edcfb38f2d0cbd0ef366a59a97264eb7b86373a45588c4
-
SHA512
2646e4cd32e39c285be65eecab4bc6c6e92a1b5e5992ba53b5d4f062ddcde1b1a596773d2976442be6ed3be5d36144f4cf23caf665b248909aa1aee316b453b8
-
SSDEEP
12288:IfL/UfibuJ2zMMzztVZK+u5YBCtKlQyYefZKSxA340ryKhzJ:IfL8fibuJ2/JVZZuaBCtjexKj3vR
Static task
static1
Behavioral task
behavioral1
Sample
f3b82a629b1eff8b49edcfb38f2d0cbd0ef366a59a97264eb7b86373a45588c4.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f3b82a629b1eff8b49edcfb38f2d0cbd0ef366a59a97264eb7b86373a45588c4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot8138030788:AAEti5Rsvkh3t9x1DE3f72xKiRnG5XE9PkI/sendMessage?chat_id=7844469787
Targets
-
-
Target
f3b82a629b1eff8b49edcfb38f2d0cbd0ef366a59a97264eb7b86373a45588c4.exe
-
Size
694KB
-
MD5
42b3eeff606c41053b2b30e6df1baa87
-
SHA1
8957ac95d71567ccf7d0efc28ddcc944352308d0
-
SHA256
f3b82a629b1eff8b49edcfb38f2d0cbd0ef366a59a97264eb7b86373a45588c4
-
SHA512
2646e4cd32e39c285be65eecab4bc6c6e92a1b5e5992ba53b5d4f062ddcde1b1a596773d2976442be6ed3be5d36144f4cf23caf665b248909aa1aee316b453b8
-
SSDEEP
12288:IfL/UfibuJ2zMMzztVZK+u5YBCtKlQyYefZKSxA340ryKhzJ:IfL8fibuJ2/JVZZuaBCtjexKj3vR
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
$PLUGINSDIR/nsExec.dll
-
Size
7KB
-
MD5
b4579bc396ace8cafd9e825ff63fe244
-
SHA1
32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c
-
SHA256
01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b
-
SHA512
3a76e0e259a0ca12275fed922ce6e01bdfd9e33ba85973e80101b8025ef9243f5e32461a113bbcc6aa75e40894bb5d3a42d6b21045517b6b3cf12d76b4cfa36a
-
SSDEEP
96:JwzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuH0DQ:JTQHDb2vSuOc41ZfUNQZGdHM
Score3/10 -
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2