General

  • Target

    04122024_1430_03122024_FRA.2080GRACAREMAIG2.rar

  • Size

    513KB

  • Sample

    241204-ryhd8stlgj

  • MD5

    39bc93c25786719d1d73165fdd3bf137

  • SHA1

    f3e0ac8567a7acf69d824d7c10675adef13047b7

  • SHA256

    184984d6c7d316d2b0b281958b784d78e85811465d5b04622584b4b47d8fe4b9

  • SHA512

    14994a687b5cf90a4d456cfec5256a604d9944f31b1fcaff6a85be9ca09538e952a7bb9f6aea6f90252f1ac0deb16ff35a202fc0176c1992ee8fb81b278cf685

  • SSDEEP

    12288:AngrB3Qo9esMYYqQvUKEVrbggEyRanPI/LWynhNKPS:AngrB3Qs3YqQvmRfXanQDW8HKPS

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      FRA.2080 GRACARE MAIG (2).exe

    • Size

      528KB

    • MD5

      341ae38ffefa01cb1ce586636e6629db

    • SHA1

      ec0f4fa6942ef3aadc183d440239e883faeab607

    • SHA256

      2ff3d2bda15e7a1ceb97f318d9e85d930e6a75a135d70b953b708c96f90921a7

    • SHA512

      8b342bb4b381421be54a5876fba24cc6bccc1a0ecca48c6afb949b97645fdb69141e1dd1017d97fde3a3a080897a79534d0719119d4d2a076573b2c72fb98819

    • SSDEEP

      12288:aICiw3Giju9h1LrEOn1UuwE1eu0yoS/B3FYA1Y/:Miw2Uu9DLrEOnZwo/z/lJs

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Accesses Microsoft Outlook profiles

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks