Overview

overview

10

Static

static

3

2bbb66a5ba...eN.exe

windows7-x64

8

2bbb66a5ba...eN.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2bbb66a5bad18e8ca2fee4fec0bfc6ce83b1cc4852d712c986685f095b3589ceN.exe

  • Size

    1.1MB

  • Sample

    241220-freh8a1nbr

  • MD5

    487fad16da392c87fb894a6ccbd95870

  • SHA1

    16f4935ce6d245d535f23a1557b6f0e0ad77baa9

  • SHA256

    2bbb66a5bad18e8ca2fee4fec0bfc6ce83b1cc4852d712c986685f095b3589ce

  • SHA512

    bbb60d3e7a24964e100ea583bd701dbf1b1ebffb44fd03de5f6c096b87de8ded04e7ece05dd28995eb2bcdf1e3cdb1fcaa11078277cba3b41af1a5c4b8e04b59

  • SSDEEP

    24576:zNrNYogUzS7ZTdlfjS03VwV5k7j5awX300zQUGtZc:Z+JI2Jj3VwXgj5aEkHUGtZc

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7745751910:AAGY46QDCTWO_Pw9iDqZhkNij-i4uwbMgzE/sendMessage?chat_id=7695061973

Targets

    • Target

      2bbb66a5bad18e8ca2fee4fec0bfc6ce83b1cc4852d712c986685f095b3589ceN.exe

    • Size

      1.1MB

    • MD5

      487fad16da392c87fb894a6ccbd95870

    • SHA1

      16f4935ce6d245d535f23a1557b6f0e0ad77baa9

    • SHA256

      2bbb66a5bad18e8ca2fee4fec0bfc6ce83b1cc4852d712c986685f095b3589ce

    • SHA512

      bbb60d3e7a24964e100ea583bd701dbf1b1ebffb44fd03de5f6c096b87de8ded04e7ece05dd28995eb2bcdf1e3cdb1fcaa11078277cba3b41af1a5c4b8e04b59

    • SSDEEP

      24576:zNrNYogUzS7ZTdlfjS03VwV5k7j5awX300zQUGtZc:Z+JI2Jj3VwXgj5aEkHUGtZc

    Score
    10/10
    discoveryexecutionvipkeyloggercollectionkeyloggerspywarestealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      7KB

    • MD5

      675c4948e1efc929edcabfe67148eddd

    • SHA1

      f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

    • SHA256

      1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

    • SHA512

      61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

    • SSDEEP

      96:J9zdzBzMDByZtr/HDQIUIq9m6v6vBckzu9wSBpLEgvElHlernNQaSGYuH2DQ:JykDr/HA5v6G2IElFernNQZGdHW

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks