General

  • Target

    ST07933.exe

  • Size

    820KB

  • Sample

    241210-s2bxasype1

  • MD5

    d9c24eb3137fb3e1f939625d3076bb0f

  • SHA1

    9d06b465b4e137dccc09aa583fd928bbcf2275aa

  • SHA256

    02184b32f1b3e76b78acf7e889f3f581ef65696df1f64efb9bfe3b2d2ccabfd6

  • SHA512

    f1d6e69a72deb762416c0954faa05196debc9b6b53ab9a38621dbeb0175dd907ce4758b0aea6f78501b5b9a6c8307c50a10fe7c6e4af72415c9a573d08baf057

  • SSDEEP

    24576:wTkQIwLXEADfmo/SbKdsyjlR4MsfZV+ER/r:qvTDf6bKdsalRpsfZV+q/r

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      ST07933.exe

    • Size

      820KB

    • MD5

      d9c24eb3137fb3e1f939625d3076bb0f

    • SHA1

      9d06b465b4e137dccc09aa583fd928bbcf2275aa

    • SHA256

      02184b32f1b3e76b78acf7e889f3f581ef65696df1f64efb9bfe3b2d2ccabfd6

    • SHA512

      f1d6e69a72deb762416c0954faa05196debc9b6b53ab9a38621dbeb0175dd907ce4758b0aea6f78501b5b9a6c8307c50a10fe7c6e4af72415c9a573d08baf057

    • SSDEEP

      24576:wTkQIwLXEADfmo/SbKdsyjlR4MsfZV+ER/r:qvTDf6bKdsalRpsfZV+q/r

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Accesses Microsoft Outlook profiles

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks