General

  • Target

    transferenciainterbancaria_00081.exe

  • Size

    541KB

  • Sample

    241203-mle15a1ng1

  • MD5

    54327a2f6c75bb2c549a5a98a462a588

  • SHA1

    f65473fa075bef32b55445d84cb8bfa4da48ac79

  • SHA256

    c3463021d3069ae7aad460707a950eb7b427a65c87f3d8e201b59cebb886a1b7

  • SHA512

    88595fa0af8ac0211145787ce0d0d3afdfb396edfcfcbab16d4714fbfb1077a8eb8df5ec6bd9aaefd916611363dd7791c62cfaba24a571bd4279ffb93bb73866

  • SSDEEP

    12288:aICfPgs7diA6gdZiygrNIVYAHHjMIyoS/B3FYA1YU:MZdL6AMxI+Aopz/lJv

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      transferenciainterbancaria_00081.exe

    • Size

      541KB

    • MD5

      54327a2f6c75bb2c549a5a98a462a588

    • SHA1

      f65473fa075bef32b55445d84cb8bfa4da48ac79

    • SHA256

      c3463021d3069ae7aad460707a950eb7b427a65c87f3d8e201b59cebb886a1b7

    • SHA512

      88595fa0af8ac0211145787ce0d0d3afdfb396edfcfcbab16d4714fbfb1077a8eb8df5ec6bd9aaefd916611363dd7791c62cfaba24a571bd4279ffb93bb73866

    • SSDEEP

      12288:aICfPgs7diA6gdZiygrNIVYAHHjMIyoS/B3FYA1YU:MZdL6AMxI+Aopz/lJv

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Accesses Microsoft Outlook profiles

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks