Overview

overview

10

Static

static

3

Overheaped237.exe

windows7-x64

8

Overheaped237.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    adba17585094466b438d2c0e081620d90f4d347266aede731acbd7b010dc79f4.tar

  • Size

    575KB

  • Sample

    241220-fdkhbaznav

  • MD5

    5a092e36ed2a286a6c1875d42c3bf1ad

  • SHA1

    1913af7acbe8c24b6285f896841736f73af62549

  • SHA256

    adba17585094466b438d2c0e081620d90f4d347266aede731acbd7b010dc79f4

  • SHA512

    53f4c263f39776e1cbb7e0dd54912e469c680b62759f60fc2fbe582cab9edf462406fe9902e27f2fdb720f24ee4a591c7f85693fcfb949b32625a28221826093

  • SSDEEP

    12288:g93jliesAP5dtwQYYy016wq2FFbyADqbM5LugDkzicmrdZN:g93jliR4jasy01DHn+AWYROicudZN

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendMessage?chat_id=7695061973

Targets

    • Target

      Overheaped237.exe

    • Size

      573KB

    • MD5

      8f4adfd3b8c55670a99389ba3905e43d

    • SHA1

      24e4a66a55b65fe58933ac92b161befc5c5df977

    • SHA256

      8126f3d67e43f2c93f178b68cc6a791a61c7f4f986cd5fb0d213780c4aa8e2d4

    • SHA512

      9ddc6fb7d8f92d4ad22e1842704dfd8cad0184f86c9482fb2cbc051008a46bb87449c8abba66b4179fc602978c31ea9215cd070c7008e39f71b6d24a43c3c527

    • SSDEEP

      12288:d93jliesAP5dtwQYYy016wq2FFbyADqbM5LugDkzicmrdZNf:d93jliR4jasy01DHn+AWYROicudZNf

    Score
    10/10
    discoveryexecutionvipkeyloggercollectionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      b648c78981c02c434d6a04d4422a6198

    • SHA1

      74d99eed1eae76c7f43454c01cdb7030e5772fc2

    • SHA256

      3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

    • SHA512

      219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

    • SSDEEP

      96:U7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNN3e:mXhHR0aTQN4gRHdMqJVgNE

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks