General
-
Target
1add121c2feec6d6e010da17f2a84fe71236b6ab1f55a62a02014f72b62ce3a4.chm
-
Size
75KB
-
Sample
250129-cpqa6axpcz
-
MD5
9c8a5461b7d545e1df98e0d63bc27ec2
-
SHA1
bef27ecbd3832ecd148c81bf3a3272408833e492
-
SHA256
1add121c2feec6d6e010da17f2a84fe71236b6ab1f55a62a02014f72b62ce3a4
-
SHA512
ad2cc969ad7dbbf88908e5e85d93e193b47dc1a0bf48cd3eff578434ceaa541f41d874f7531baf52809a3767d50a15110789ead221e92f61514bbfc53e0e96ac
-
SSDEEP
1536:4G2kZqDwXQa3OFBLedkZdWSycuSF02YqlO5Szs7HJiJl:R2kZZXHMBL7hr1W2VlOW
Static task
static1
Behavioral task
behavioral1
Sample
1add121c2feec6d6e010da17f2a84fe71236b6ab1f55a62a02014f72b62ce3a4.chm
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
1add121c2feec6d6e010da17f2a84fe71236b6ab1f55a62a02014f72b62ce3a4.chm
Resource
win10v2004-20241007-en
Malware Config
Extracted
Protocol: smtp- Host:
lax029.hawkhost.com - Port:
587 - Username:
server1@massmaesure.com - Password:
london@1759
Extracted
vipkeylogger
Targets
-
-
Target
1add121c2feec6d6e010da17f2a84fe71236b6ab1f55a62a02014f72b62ce3a4.chm
-
Size
75KB
-
MD5
9c8a5461b7d545e1df98e0d63bc27ec2
-
SHA1
bef27ecbd3832ecd148c81bf3a3272408833e492
-
SHA256
1add121c2feec6d6e010da17f2a84fe71236b6ab1f55a62a02014f72b62ce3a4
-
SHA512
ad2cc969ad7dbbf88908e5e85d93e193b47dc1a0bf48cd3eff578434ceaa541f41d874f7531baf52809a3767d50a15110789ead221e92f61514bbfc53e0e96ac
-
SSDEEP
1536:4G2kZqDwXQa3OFBLedkZdWSycuSF02YqlO5Szs7HJiJl:R2kZZXHMBL7hr1W2VlOW
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
ModiLoader Second Stage
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Window
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1