Overview

overview

10

Static

static

3

cee3ae54c0...8f.exe

windows7-x64

8

cee3ae54c0...8f.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cee3ae54c0f49335db69551733260a6e0bb7f72089b126b14a09d44722bbdc8f.exe

  • Size

    558KB

  • Sample

    241220-hdazzssket

  • MD5

    a30468384472782c5b2fc6a439f641bb

  • SHA1

    2695582dda03035b463e939b1a2577505e9a2766

  • SHA256

    cee3ae54c0f49335db69551733260a6e0bb7f72089b126b14a09d44722bbdc8f

  • SHA512

    c2cee48e6c124cbcd2a09e0d0381f38d2602522a5b57577b039aaeb43e4611313c1865c00a98cabacd1edca8b43bbcbad0f6fbb8594c0c36bf4438c57708eaa4

  • SSDEEP

    12288:g93jlsINtJD2SoxlyLpJdNLNrDv7ucLrv70:g93jlsyUSQ8LpJdNLNrjNPvY

Score
10/10
vipkeyloggerdiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7557203423:AAGe1HpB3h500YMl-g1jm79Gu1CeWQ1Wrtg/sendMessage?chat_id=5434550993

Targets

    • Target

      cee3ae54c0f49335db69551733260a6e0bb7f72089b126b14a09d44722bbdc8f.exe

    • Size

      558KB

    • MD5

      a30468384472782c5b2fc6a439f641bb

    • SHA1

      2695582dda03035b463e939b1a2577505e9a2766

    • SHA256

      cee3ae54c0f49335db69551733260a6e0bb7f72089b126b14a09d44722bbdc8f

    • SHA512

      c2cee48e6c124cbcd2a09e0d0381f38d2602522a5b57577b039aaeb43e4611313c1865c00a98cabacd1edca8b43bbcbad0f6fbb8594c0c36bf4438c57708eaa4

    • SSDEEP

      12288:g93jlsINtJD2SoxlyLpJdNLNrDv7ucLrv70:g93jlsyUSQ8LpJdNLNrjNPvY

    Score
    10/10
    discoveryexecutionvipkeyloggerkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Loads dropped DLL

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      b648c78981c02c434d6a04d4422a6198

    • SHA1

      74d99eed1eae76c7f43454c01cdb7030e5772fc2

    • SHA256

      3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

    • SHA512

      219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

    • SSDEEP

      96:U7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNN3e:mXhHR0aTQN4gRHdMqJVgNE

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks