Overview

overview

10

Static

static

3

fc6fb69c92...8f.exe

windows7-x64

7

fc6fb69c92...8f.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fc6fb69c921c1d6b3057cfd5658ef095e00f9fa125fe8675c653fa6ce38e118f.exe

  • Size

    560KB

  • Sample

    250111-gvgy7azrdk

  • MD5

    63a7bcf75c4f84b0e2dd1645f9e8fcfe

  • SHA1

    89d5b0b09816aad68fdc82d47036e59c92200688

  • SHA256

    fc6fb69c921c1d6b3057cfd5658ef095e00f9fa125fe8675c653fa6ce38e118f

  • SHA512

    73fd3357e25651d2e9f0b615749e4fa498e78c3a177691da0d0506cb0883b4d4db8b83df1605ab6295824e052a7bdd3d101eeb2b854f159861893cbd5cea1276

  • SSDEEP

    12288:6fYfUlNHYh6kt2Faw5xzsSRF+woxPXueq/PZxIgLYeEbH+aQ:6fYMPYcq2FrzOHueQhxIgsH9Q

Score
10/10
vipkeyloggercollectiondiscoverykeyloggerspywarestealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot8118244750:AAHW9qN4qIFfpwTeDTPtn27qicq6nUcMbog/sendMessage?chat_id=1767942457

Targets

    • Target

      fc6fb69c921c1d6b3057cfd5658ef095e00f9fa125fe8675c653fa6ce38e118f.exe

    • Size

      560KB

    • MD5

      63a7bcf75c4f84b0e2dd1645f9e8fcfe

    • SHA1

      89d5b0b09816aad68fdc82d47036e59c92200688

    • SHA256

      fc6fb69c921c1d6b3057cfd5658ef095e00f9fa125fe8675c653fa6ce38e118f

    • SHA512

      73fd3357e25651d2e9f0b615749e4fa498e78c3a177691da0d0506cb0883b4d4db8b83df1605ab6295824e052a7bdd3d101eeb2b854f159861893cbd5cea1276

    • SSDEEP

      12288:6fYfUlNHYh6kt2Faw5xzsSRF+woxPXueq/PZxIgLYeEbH+aQ:6fYMPYcq2FrzOHueQhxIgsH9Q

    Score
    10/10
    discoveryvipkeyloggercollectionkeyloggerspywarestealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      192639861e3dc2dc5c08bb8f8c7260d5

    • SHA1

      58d30e460609e22fa0098bc27d928b689ef9af78

    • SHA256

      23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

    • SHA512

      6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

    • SSDEEP

      192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks