vipkeylogger | e71a63d388fdcf8ad7fa5b03592fa116469a8a9f1bdcbbcb7aa459665905ff8a | Triage

Submit
Reports

Overview

overview

Static

static

3

PEDIDO161224.rar

windows10-2004-x64

Sharing

General

Target

PEDIDO161224.rar
Size

1.0MB
Sample

241217-hweqwstmby
MD5

5512e6253667a66d7300cac2b8f51b7f
SHA1

da9659a0350a4d575184c62b47bcfb6618aa4a8d
SHA256

e71a63d388fdcf8ad7fa5b03592fa116469a8a9f1bdcbbcb7aa459665905ff8a
SHA512

fbbc25e11b540de4dd76d6d73863d75bda05f9f32dbb04a8cf101ed480635f066a8fa9812ec8af06d5cdc52d6d211837e136db1c5a0657b092fed364c9f4b9d5
SSDEEP

24576:YaTMjZaerEV0kqXJ+ny3Nyq5loFJKiTlyvytMEGF3Yy:YfjZaGEQJuSyElIJr1G9X

Score

10^/10

vipkeylogger collection discovery execution keylogger stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

PEDIDO161224.rar

Resource

win10v2004-20241007-en

vipkeylogger collection discovery execution keylogger stealer

windows10-2004-x64

27 signatures

300 seconds

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7668974942:AAFyrHvXMv2uhMX9l0hNEPNVnFxCDfLErLs/sendMessage?chat_id=7295320361

Targets

- Target
  
  PEDIDO161224.rar
- Size
  
  1.0MB
- MD5
  
  5512e6253667a66d7300cac2b8f51b7f
- SHA1
  
  da9659a0350a4d575184c62b47bcfb6618aa4a8d
- SHA256
  
  e71a63d388fdcf8ad7fa5b03592fa116469a8a9f1bdcbbcb7aa459665905ff8a
- SHA512
  
  fbbc25e11b540de4dd76d6d73863d75bda05f9f32dbb04a8cf101ed480635f066a8fa9812ec8af06d5cdc52d6d211837e136db1c5a0657b092fed364c9f4b9d5
- SSDEEP
  
  24576:YaTMjZaerEV0kqXJ+ny3Nyq5loFJKiTlyvytMEGF3Yy:YfjZaGEQJuSyElIJr1G9X
Score

10^/10

vipkeylogger collection discovery execution keylogger stealer
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

© 2018-2024

Terms | Privacy