Extracted

Extracted

• • Target

    07999ec3c7658c8a44b81c24bc6b9ede3e923bbb90496e7d99cc6558e3d470b4.exe

  • Size

    880KB

  • MD5

    bc9ff7c64532238a148f394bfe4880be

  • SHA1

    c90b254fc30b0da39b1b9102bb66b577da9b4045

  • SHA256

    07999ec3c7658c8a44b81c24bc6b9ede3e923bbb90496e7d99cc6558e3d470b4

  • SHA512

    746881467817fed1d2d4cc136cadb14a8dcee2fbe0b18e4083bcb719ce9470d9d5b7fb02f0617befd8593e89ddecc0f7cdae6f97705b256d50b4ef88844e8f99

  • SSDEEP

    24576:OPX04T0HUUGu8JZ3flmaIuYgxEJisWHbJrz5ACBv5:OnWYR7lkgEyl7

  Score

  10^/10

  discoveryexecutionvipkeyloggercollectionevasionkeyloggerstealertrojan

  • Modifies Windows Defender DisableAntiSpyware settings

    evasiontrojan

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger

  • Vipkeylogger family

    vipkeylogger

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Loads dropped DLL

  • Accesses Microsoft Outlook profiles

    collection

  • Blocklisted process makes network request

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2

• • Target

    $PLUGINSDIR/nsExec.dll

  • Size

    6KB

  • MD5

    fa299e199922b3ba833be655a8d71b75

  • SHA1

    4d74c53bb6927a2831df93af26f3e4e4fb007797

  • SHA256

    49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

  • SHA512

    7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

  • SSDEEP

    96:v7fhZwXd8KgEbAa9PweF1WxD8ZLMJGgmkNO38:4N8KgWAuLWxD8ZAGgmkN

  Score

  3^/10

  discovery
  behavioral3behavioral4