Extracted

• • Target

    4b0c3d89a63dc1f177379ea05642c3c3b377adc560b26c7a41aebd2ed1afe9ac.exe

  • Size

    1.0MB

  • MD5

    68ad57514cfb4e1cb4529556dbbc9b73

  • SHA1

    3681d090c965cd8af1c7bffd6fe5427e997daa41

  • SHA256

    4b0c3d89a63dc1f177379ea05642c3c3b377adc560b26c7a41aebd2ed1afe9ac

  • SHA512

    f2ef34f8ad5282676bdc3913007d471cc59e1bf20c5371817b3c85a2c24c19983d3c6c2f5e00bb539fc6596a0b02b4a33e59a4391a4165c22e0cbf2edd103f5a

  • SSDEEP

    24576:ENrNYo6GP6fzfqUC1tkth3VwV5k7j5awX300zQUGtZq:U+S6fziUC1wh3VwXgj5aEkHUGtZq

  Score

  10^/10

  discoveryexecutionvipkeyloggercollectionkeyloggerstealer

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger

  • Vipkeylogger family

    vipkeylogger

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Loads dropped DLL

  • Accesses Microsoft Outlook profiles

    collection

  • Blocklisted process makes network request

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2

• • Target

    $PLUGINSDIR/nsExec.dll

  • Size

    7KB

  • MD5

    675c4948e1efc929edcabfe67148eddd

  • SHA1

    f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

  • SHA256

    1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

  • SHA512

    61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

  • SSDEEP

    96:J9zdzBzMDByZtr/HDQIUIq9m6v6vBckzu9wSBpLEgvElHlernNQaSGYuH2DQ:JykDr/HA5v6G2IElFernNQZGdHW

  Score

  3^/10

  discovery
  behavioral3behavioral4