Overview

overview

10

Static

static

3

8806ce3118...ff.exe

windows7-x64

8

8806ce3118...ff.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8806ce311854fa80261e855453c07d30b43a24d413c65cdfaae99024408bd6ff.exe

  • Size

    761KB

  • Sample

    250111-essa2awkhp

  • MD5

    a1204c6a7fe28bab5db0e3240513a857

  • SHA1

    909f041efc5859b43f547017085e3cf39a05a4fa

  • SHA256

    8806ce311854fa80261e855453c07d30b43a24d413c65cdfaae99024408bd6ff

  • SHA512

    7d7c39189e6bc7c5339e08154dbbc45230b07ff55b62dadfe9828851276c0111ab76c143931d7a097395204cd2df2f00d2647f5e6f0e3254999988635c409777

  • SSDEEP

    12288:0GCX77iIcM1saeQHgPVseMP/pmRR324xFcdW693tRLPHj6XOaho:qr75cgYQHgK3PxEBXi93tJPDUOB

Score
10/10
vipkeyloggerdiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

vipkeylogger

Credentials
C2

https://api.telegram.org/bot8101497037:AAEvNeES2X17rekW3womq6JjOwgZLJMqX1Y/sendMessage?chat_id=7171338311

Targets

    • Target

      8806ce311854fa80261e855453c07d30b43a24d413c65cdfaae99024408bd6ff.exe

    • Size

      761KB

    • MD5

      a1204c6a7fe28bab5db0e3240513a857

    • SHA1

      909f041efc5859b43f547017085e3cf39a05a4fa

    • SHA256

      8806ce311854fa80261e855453c07d30b43a24d413c65cdfaae99024408bd6ff

    • SHA512

      7d7c39189e6bc7c5339e08154dbbc45230b07ff55b62dadfe9828851276c0111ab76c143931d7a097395204cd2df2f00d2647f5e6f0e3254999988635c409777

    • SSDEEP

      12288:0GCX77iIcM1saeQHgPVseMP/pmRR324xFcdW693tRLPHj6XOaho:qr75cgYQHgK3PxEBXi93tJPDUOB

    Score
    10/10
    discoveryexecutionvipkeyloggerkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Loads dropped DLL

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      01e76fe9d2033606a48d4816bd9c2d9d

    • SHA1

      e46d8a9ed4d5da220c81baf5f1fdb94708e9aba2

    • SHA256

      ee052fd5141bf769b841846170aabf0d7c2bb922c74c623c3f109344534f7a70

    • SHA512

      62ef7095d1bf53354c20329c2ce8546c277aa0e791839c8a24108a01f9483a953979259e0ad04dbcab966444ee7cdd340f8c9557bc8f98e9400794f2751dc7e0

    • SSDEEP

      96:J7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN738:HbGgGPzxeX6D8ZyGgmkN

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks