General

  • Target

    1add121c2feec6d6e010da17f2a84fe71236b6ab1f55a62a02014f72b62ce3a4.chm

  • Size

    75KB

  • Sample

    250129-cpqa6axpcz

  • MD5

    9c8a5461b7d545e1df98e0d63bc27ec2

  • SHA1

    bef27ecbd3832ecd148c81bf3a3272408833e492

  • SHA256

    1add121c2feec6d6e010da17f2a84fe71236b6ab1f55a62a02014f72b62ce3a4

  • SHA512

    ad2cc969ad7dbbf88908e5e85d93e193b47dc1a0bf48cd3eff578434ceaa541f41d874f7531baf52809a3767d50a15110789ead221e92f61514bbfc53e0e96ac

  • SSDEEP

    1536:4G2kZqDwXQa3OFBLedkZdWSycuSF02YqlO5Szs7HJiJl:R2kZZXHMBL7hr1W2VlOW

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    lax029.hawkhost.com
  • Port:
    587
  • Username:
    server1@massmaesure.com
  • Password:
    london@1759

Extracted

Family

vipkeylogger

Targets

    • Target

      1add121c2feec6d6e010da17f2a84fe71236b6ab1f55a62a02014f72b62ce3a4.chm

    • Size

      75KB

    • MD5

      9c8a5461b7d545e1df98e0d63bc27ec2

    • SHA1

      bef27ecbd3832ecd148c81bf3a3272408833e492

    • SHA256

      1add121c2feec6d6e010da17f2a84fe71236b6ab1f55a62a02014f72b62ce3a4

    • SHA512

      ad2cc969ad7dbbf88908e5e85d93e193b47dc1a0bf48cd3eff578434ceaa541f41d874f7531baf52809a3767d50a15110789ead221e92f61514bbfc53e0e96ac

    • SSDEEP

      1536:4G2kZqDwXQa3OFBLedkZdWSycuSF02YqlO5Szs7HJiJl:R2kZZXHMBL7hr1W2VlOW

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Modiloader family

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • ModiLoader Second Stage

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.