Overview

overview

10

Static

static

8

d998055907...b7.doc

windows7-x64

10

d998055907...b7.doc

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d9980559077d0cf6e251608efa44277ac5cd2b64236ecc31b352a93992e2f2b7.doc

  • Size

    51KB

  • Sample

    250107-dczvha1jdy

  • MD5

    754c08a32cbfe16e0982b5b56835e247

  • SHA1

    7338cada263faae3d79631efa1c895bf690a4eb3

  • SHA256

    d9980559077d0cf6e251608efa44277ac5cd2b64236ecc31b352a93992e2f2b7

  • SHA512

    6cc3a3a351b58cb5763a745b07a492aaf944e1526a49c3f6da7135e6295a701e7f526c052fcf4961af7a08756f51226f5fbecb4e242d8fdde0f61fa1717772e1

  • SSDEEP

    384:Zp0xfMJvBv2xv8R89JMjN6m4iKpIEOqY+tKiSsqdg1vA9tzt/Mi+P0jN4pfZt8Fs:ZkUJJU6wVoJ+1o9t1MRi4pQmv+SWw

Score
10/10
modiloadervipkeyloggercollectiondiscoverykeyloggermacromacro_on_actionpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.techniqueqatar.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    TechFB2023$$$

Extracted

Family

vipkeylogger

Targets

    • Target

      d9980559077d0cf6e251608efa44277ac5cd2b64236ecc31b352a93992e2f2b7.doc

    • Size

      51KB

    • MD5

      754c08a32cbfe16e0982b5b56835e247

    • SHA1

      7338cada263faae3d79631efa1c895bf690a4eb3

    • SHA256

      d9980559077d0cf6e251608efa44277ac5cd2b64236ecc31b352a93992e2f2b7

    • SHA512

      6cc3a3a351b58cb5763a745b07a492aaf944e1526a49c3f6da7135e6295a701e7f526c052fcf4961af7a08756f51226f5fbecb4e242d8fdde0f61fa1717772e1

    • SSDEEP

      384:Zp0xfMJvBv2xv8R89JMjN6m4iKpIEOqY+tKiSsqdg1vA9tzt/Mi+P0jN4pfZt8Fs:ZkUJJU6wVoJ+1o9t1MRi4pQmv+SWw

    Score
    10/10
    modiloaderdiscoverypersistencetrojanvipkeyloggercollectionkeyloggerspywarestealer

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modiloader family

      modiloader

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • ModiLoader Second Stage

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks