Extracted

• • Target

    f459c492671666638899a5c5d716538ecff3516338e5cea64e5d53fa421ec2ba.exe

  • Size

    560KB

  • MD5

    21eb0bfd14e8ab29a3c29d5b60ee09e1

  • SHA1

    9cff284042166495e20428500545b99330a1a9c8

  • SHA256

    f459c492671666638899a5c5d716538ecff3516338e5cea64e5d53fa421ec2ba

  • SHA512

    cf0d15a179940c800cb669384a0874200650b0da7b8db58c3e1a8cf87cb5d3ac5953a10c68366436917812f24d32a7f12506831294bec53b6e41ed8a7b1a56e8

  • SSDEEP

    12288:n93jlz5CwkzUf1DYt/itWe7NAZSfR6IWAKsbk1B8B:n93jlzcxzUf9S6tx7mWKNeoiB

  Score

  10^/10

  discoveryexecutionvipkeyloggercollectionkeyloggerstealer

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger

  • Vipkeylogger family

    vipkeylogger

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Loads dropped DLL

  • Accesses Microsoft Outlook profiles

    collection

  • Blocklisted process makes network request

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2

• • Target

    $PLUGINSDIR/nsExec.dll

  • Size

    6KB

  • MD5

    b648c78981c02c434d6a04d4422a6198

  • SHA1

    74d99eed1eae76c7f43454c01cdb7030e5772fc2

  • SHA256

    3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

  • SHA512

    219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

  • SSDEEP

    96:U7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNN3e:mXhHR0aTQN4gRHdMqJVgNE

  Score

  3^/10

  discovery
  behavioral3behavioral4