Overview

overview

10

Static

static

3

Invoice-736784.exe

windows7-x64

7

Invoice-736784.exe

windows10-2004-x64

10

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

8

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Invoice-736784

  • Size

    921KB

  • Sample

    250211-k2s7kssjgs

  • MD5

    252feb4a3f2b23c726a6814eef75b8e4

  • SHA1

    8a9e7e4bf07f61ec6eb2008d4423eca9fdb439e0

  • SHA256

    3d13098a7038e2edec5a45c9d670e404f20187fc504d743ca73fc99bfb295be9

  • SHA512

    209fdbdc2a63870557947785a1db127928ba6175c92b0e288ca5139b4e1ad33b18ef36c70b93512f48fd099588bbca43bc7730c6800ef31029c3ce7181c67359

  • SSDEEP

    24576:8s2Nl1FAGoUvfMOK4fWmVRpkVoJfCMoU8Z1An:glDUU0UW8lCLU8ZCn

Score
10/10
guloadervipkeyloggercollectiondiscoverydownloaderkeyloggerspywarestealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7925601648:AAFJQr-qYufJQhg5VRCefCc8bUKVvQ_OCT4/sendMessage?chat_id=1940565380

Targets

    • Target

      Invoice-736784

    • Size

      921KB

    • MD5

      252feb4a3f2b23c726a6814eef75b8e4

    • SHA1

      8a9e7e4bf07f61ec6eb2008d4423eca9fdb439e0

    • SHA256

      3d13098a7038e2edec5a45c9d670e404f20187fc504d743ca73fc99bfb295be9

    • SHA512

      209fdbdc2a63870557947785a1db127928ba6175c92b0e288ca5139b4e1ad33b18ef36c70b93512f48fd099588bbca43bc7730c6800ef31029c3ce7181c67359

    • SSDEEP

      24576:8s2Nl1FAGoUvfMOK4fWmVRpkVoJfCMoU8Z1An:glDUU0UW8lCLU8ZCn

    Score
    10/10
    discoveryguloadervipkeyloggercollectiondownloaderkeyloggerspywarestealer

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/LangDLL.dll

    • Size

      5KB

    • MD5

      b21a3377e66b941df6d5b7cf8ba7a43a

    • SHA1

      e7ed27fce2db9cdc11ca3c640806731dcef3864a

    • SHA256

      ba46a03088f690ce966043f49761ff3a3a0dca236160794de841dfecc3588d1e

    • SHA512

      f011a824c0ff7f87c6da112898f4afc87e12c5b39fb40ffcc0955012e79a4302597d892224b3b47e8143480605c73275d3799d6d2000cdf179c2912241f86916

    • SSDEEP

      48:im1YEhqneMPUptuMMNvimk2BAZuMTRCpYEvJdUJvR0Jsof5dwe:F1apl9NLBAZuYtR0/d

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral3behavioral4

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      792b6f86e296d3904285b2bf67ccd7e0

    • SHA1

      966b16f84697552747e0ddd19a4ba8ab5083af31

    • SHA256

      c7a20bcaa0197aedddc8e4797bbb33fdf70d980f5e83c203d148121c2106d917

    • SHA512

      97edc3410b88ca31abc0af0324258d2b59127047810947d0fb5e7e12957db34d206ffd70a0456add3a26b0546643ff0234124b08423c2c9ffe9bdec6eb210f2c

    • SSDEEP

      192:rFiQJ771Jt17C8F1A5xjGNNvgFOiLb7lrT/L93:X71Jt48F2eNvgFF/L

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks