General

  • Target

    4d6a20acf2890a33ccd8bbb853a2fcbf7494ee756f9a238c8608b5e78f77e7f2.exe

  • Size

    613KB

  • Sample

    241205-tgrbxs1pds

  • MD5

    1db4a51100e3232069a4d5458e38b319

  • SHA1

    635a5278d1eaef481345014378d2f79fc3161b82

  • SHA256

    4d6a20acf2890a33ccd8bbb853a2fcbf7494ee756f9a238c8608b5e78f77e7f2

  • SHA512

    ef49bd40d6d56f08ef294dbb3eb0e8a66d5ff03d257a25789559dbe18a5a482bfad57b19014fa2ed66d5a8716b27b26f68fc5cbb2408ff1a7b3d918ca3d06336

  • SSDEEP

    12288:Stons9H6k4J4EbhpCRMft7DvTZPa2hLjPn39kub:3nu6X4Eu2lTTDjP39bb

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      4d6a20acf2890a33ccd8bbb853a2fcbf7494ee756f9a238c8608b5e78f77e7f2.exe

    • Size

      613KB

    • MD5

      1db4a51100e3232069a4d5458e38b319

    • SHA1

      635a5278d1eaef481345014378d2f79fc3161b82

    • SHA256

      4d6a20acf2890a33ccd8bbb853a2fcbf7494ee756f9a238c8608b5e78f77e7f2

    • SHA512

      ef49bd40d6d56f08ef294dbb3eb0e8a66d5ff03d257a25789559dbe18a5a482bfad57b19014fa2ed66d5a8716b27b26f68fc5cbb2408ff1a7b3d918ca3d06336

    • SSDEEP

      12288:Stons9H6k4J4EbhpCRMft7DvTZPa2hLjPn39kub:3nu6X4Eu2lTTDjP39bb

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Accesses Microsoft Outlook profiles

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      tvrdriver.Dob175

    • Size

      54KB

    • MD5

      7562ce0c4f392e2b16af6e4e2ed86bbf

    • SHA1

      3f17f397709f6276b2345e09a30abe657614e5c4

    • SHA256

      e3f186006ceac653cb2fb3fd1a3f3d531246ee599efecb8aed68bed27d860e0a

    • SHA512

      2f98d074df39c3bcf3ffae38c911b90487499a8c40fd1a4c45d7c9acf804acb3edf6d820295c4f1c4226be00a9a358b4db1c94936896e01a7f6bbda89ce60334

    • SSDEEP

      768:RpCNKZaAWYRoU6XIUeFtV1fTl3DNQa9aK+wg5pV3Lkvmv0Yu00:RJoAcEB7UJpuva0YX0

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks