Extracted

• • Target

    88a5fa91e12be14e5e37a237da70392dd9218f29ad88fa2cff8693ab4e215e81.exe

  • Size

    771KB

  • MD5

    831a8a58088361d324c958970b8ed79c

  • SHA1

    13366befe0af1ebb0665c81209dcab3388257cf0

  • SHA256

    88a5fa91e12be14e5e37a237da70392dd9218f29ad88fa2cff8693ab4e215e81

  • SHA512

    a52f7d06cc421cfb6450c9c747c27b30342fa74eb9809b38be22191a999985fe248ee600490c37e7d291e2addc71f8a922033ed934ee762dfda6012c1f1c531a

  • SSDEEP

    12288:6DGZKmormA1VThZChbBUsfycFOzZ85VEuC4pJBFN167jo0WrAvgCTBIK4nzDiV:4mor/1xhZChlVfyPOJC4pzFTIMLrq8O

  Score

  10^/10

  discoveryexecutionvipkeyloggercollectionkeyloggerstealer

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger

  • Vipkeylogger family

    vipkeylogger

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Loads dropped DLL

  • Accesses Microsoft Outlook profiles

    collection

  • Blocklisted process makes network request

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2

• • Target

    $PLUGINSDIR/nsExec.dll

  • Size

    6KB

  • MD5

    1b0e41f60564cccccd71347d01a7c397

  • SHA1

    b1bddd97765e9c249ba239e9c95ab32368098e02

  • SHA256

    13ebc725f3f236e1914fe5288ad6413798ad99bef38bfe9c8c898181238e8a10

  • SHA512

    b6d7925cdff358992b2682cf1485227204ce3868c981c47778dd6da32057a595caa933d8242c8d7090b0c54110d45fa8f935a1b4eec1e318d89cc0e44b115785

  • SSDEEP

    96:s7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN838:UbGgGPzxeX6D8ZyGgmkN

  Score

  3^/10

  discovery
  behavioral3behavioral4