General
-
Target
kelscrit.exe
-
Size
563KB
-
Sample
241203-k82sasvjap
-
MD5
64ea70b77e9654021dfe4c5b42a788db
-
SHA1
ff668253991db29fa83a93a962654a2a13cc87ba
-
SHA256
919036bc72056762803c599929ee33811f1c9a13f55c571008b57b20b638c54b
-
SHA512
7ebdbe6ff9e14ec408f52611962af70f24136ee6976a4239f636971d778d9d3491188ccb18c5908f0c69bace9c115dc909a199bec9c74b44ada381c4f8a4429b
-
SSDEEP
12288:7fYfUlNHYh6qFkbpBOO64kfPZxIgL3lweEbH+aB:7fYMPYc/FHkfhxIgZQH9B
Static task
static1
Behavioral task
behavioral1
Sample
kelscrit.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
kelscrit.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot6358867316:AAGYz8F7DpACV8KuAbFAee27mS5P18ckXUM/sendMessage?chat_id=6361450335
Targets
-
-
Target
kelscrit.exe
-
Size
563KB
-
MD5
64ea70b77e9654021dfe4c5b42a788db
-
SHA1
ff668253991db29fa83a93a962654a2a13cc87ba
-
SHA256
919036bc72056762803c599929ee33811f1c9a13f55c571008b57b20b638c54b
-
SHA512
7ebdbe6ff9e14ec408f52611962af70f24136ee6976a4239f636971d778d9d3491188ccb18c5908f0c69bace9c115dc909a199bec9c74b44ada381c4f8a4429b
-
SSDEEP
12288:7fYfUlNHYh6qFkbpBOO64kfPZxIgL3lweEbH+aB:7fYMPYc/FHkfhxIgZQH9B
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
12KB
-
MD5
192639861e3dc2dc5c08bb8f8c7260d5
-
SHA1
58d30e460609e22fa0098bc27d928b689ef9af78
-
SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
-
SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc
-
SSDEEP
192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr
Score3/10 -
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2