vipkeylogger

General

Target

f19b72b88ddbf56b257e6eef19c74e304beaf8f95d352741e400993472e721c9.exe
Size

764KB
Sample

250110-ryxtxsxkes
MD5

ee18481e218cc9bc7a1628f5a7365776
SHA1

57ea302c84a488de1e5a5bcc669e02c5d9a7a350
SHA256

f19b72b88ddbf56b257e6eef19c74e304beaf8f95d352741e400993472e721c9
SHA512

a4ae4e6f3d46c05141e1d60b3f92d1b2ad27d758ae27bc063fb3f5fef953237120480e700c5d05d90cc41d92497674c0e7d3e25dbd62e591445170077309f78b
SSDEEP

12288:0GCX77iIceZ0Na7lxnjXp54AQ2cPmT3a3ur93tRLPHj6XOahq:qr75cHavj7S1G3aer93tJPDUO/

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.abraher.com
Port:
587
Username:
[email protected]
Password:
General1

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.abraher.com
Port:
587
Username:
[email protected]
Password:
General1
Email To:
[email protected]

C2

https://api.telegram.org/bot8101497037:AAEvNeES2X17rekW3womq6JjOwgZLJMqX1Y/sendMessage?chat_id=7171338311

Targets

- Target
  
  f19b72b88ddbf56b257e6eef19c74e304beaf8f95d352741e400993472e721c9.exe
- Size
  
  764KB
- MD5
  
  ee18481e218cc9bc7a1628f5a7365776
- SHA1
  
  57ea302c84a488de1e5a5bcc669e02c5d9a7a350
- SHA256
  
  f19b72b88ddbf56b257e6eef19c74e304beaf8f95d352741e400993472e721c9
- SHA512
  
  a4ae4e6f3d46c05141e1d60b3f92d1b2ad27d758ae27bc063fb3f5fef953237120480e700c5d05d90cc41d92497674c0e7d3e25dbd62e591445170077309f78b
- SSDEEP
  
  12288:0GCX77iIceZ0Na7lxnjXp54AQ2cPmT3a3ur93tRLPHj6XOahq:qr75cHavj7S1G3aer93tJPDUO/
Score

10^/10

discovery execution vipkeylogger collection keylogger stealer
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  6KB
- MD5
  
  01e76fe9d2033606a48d4816bd9c2d9d
- SHA1
  
  e46d8a9ed4d5da220c81baf5f1fdb94708e9aba2
- SHA256
  
  ee052fd5141bf769b841846170aabf0d7c2bb922c74c623c3f109344534f7a70
- SHA512
  
  62ef7095d1bf53354c20329c2ce8546c277aa0e791839c8a24108a01f9483a953979259e0ad04dbcab966444ee7cdd340f8c9557bc8f98e9400794f2751dc7e0
- SSDEEP
  
  96:J7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN738:HbGgGPzxeX6D8ZyGgmkN
Score

3^/10

discovery
behavioral3 behavioral4