General
-
Target
4d6a20acf2890a33ccd8bbb853a2fcbf7494ee756f9a238c8608b5e78f77e7f2.exe
-
Size
613KB
-
Sample
241205-tgrbxs1pds
-
MD5
1db4a51100e3232069a4d5458e38b319
-
SHA1
635a5278d1eaef481345014378d2f79fc3161b82
-
SHA256
4d6a20acf2890a33ccd8bbb853a2fcbf7494ee756f9a238c8608b5e78f77e7f2
-
SHA512
ef49bd40d6d56f08ef294dbb3eb0e8a66d5ff03d257a25789559dbe18a5a482bfad57b19014fa2ed66d5a8716b27b26f68fc5cbb2408ff1a7b3d918ca3d06336
-
SSDEEP
12288:Stons9H6k4J4EbhpCRMft7DvTZPa2hLjPn39kub:3nu6X4Eu2lTTDjP39bb
Static task
static1
Behavioral task
behavioral1
Sample
4d6a20acf2890a33ccd8bbb853a2fcbf7494ee756f9a238c8608b5e78f77e7f2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4d6a20acf2890a33ccd8bbb853a2fcbf7494ee756f9a238c8608b5e78f77e7f2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
tvrdriver.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
tvrdriver.ps1
Resource
win10v2004-20241007-en
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.strakonltd.co.ug - Port:
587 - Username:
[email protected] - Password:
Moreblessings@26 - Email To:
[email protected]
Targets
-
-
Target
4d6a20acf2890a33ccd8bbb853a2fcbf7494ee756f9a238c8608b5e78f77e7f2.exe
-
Size
613KB
-
MD5
1db4a51100e3232069a4d5458e38b319
-
SHA1
635a5278d1eaef481345014378d2f79fc3161b82
-
SHA256
4d6a20acf2890a33ccd8bbb853a2fcbf7494ee756f9a238c8608b5e78f77e7f2
-
SHA512
ef49bd40d6d56f08ef294dbb3eb0e8a66d5ff03d257a25789559dbe18a5a482bfad57b19014fa2ed66d5a8716b27b26f68fc5cbb2408ff1a7b3d918ca3d06336
-
SSDEEP
12288:Stons9H6k4J4EbhpCRMft7DvTZPa2hLjPn39kub:3nu6X4Eu2lTTDjP39bb
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Accesses Microsoft Outlook profiles
-
Blocklisted process makes network request
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
tvrdriver.Dob175
-
Size
54KB
-
MD5
7562ce0c4f392e2b16af6e4e2ed86bbf
-
SHA1
3f17f397709f6276b2345e09a30abe657614e5c4
-
SHA256
e3f186006ceac653cb2fb3fd1a3f3d531246ee599efecb8aed68bed27d860e0a
-
SHA512
2f98d074df39c3bcf3ffae38c911b90487499a8c40fd1a4c45d7c9acf804acb3edf6d820295c4f1c4226be00a9a358b4db1c94936896e01a7f6bbda89ce60334
-
SSDEEP
768:RpCNKZaAWYRoU6XIUeFtV1fTl3DNQa9aK+wg5pV3Lkvmv0Yu00:RJoAcEB7UJpuva0YX0
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-