Overview

overview

10

Static

static

3

30079615-A...ru.exe

windows7-x64

7

30079615-A...ru.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    30079615-AylkzetRaporu.exe

  • Size

    727KB

  • Sample

    250211-r2tlnswqdj

  • MD5

    7f252035c3ae6876c036a4c34c7c64c9

  • SHA1

    1ddb926594ba1df0f1aad90902dac8b32e2395f9

  • SHA256

    fff7b49756b2b82efe6e3fa1544215dc4fd3ddd12869ad26f1cccc21a88c2079

  • SHA512

    9f281c7d15d782b190f9b79d57b44eef4061a0e5beb5c1848f4fa0a13750ec33e85230235be40f655c879c84afc451cef1a1079309cf3dc37a3b96784e0a2173

  • SSDEEP

    12288:jnPdlkh3ky/FJsTpew9f2A6swE7SXxJnKj2Hyi6i8XWDqCVHb9RvjOV4RqQQKY6u:7PdlfqUTVf2APwEevk2Hh6Um0v64RVN6

Score
10/10
guloadervipkeyloggercollectiondiscoverydownloaderkeyloggerspywarestealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7558532911:AAGepJ1c9JoLg9C0OOA7u5vk4MPYoO5ezUQ/sendMessage?chat_id=7573818489

Targets

    • Target

      30079615-AylkzetRaporu.exe

    • Size

      727KB

    • MD5

      7f252035c3ae6876c036a4c34c7c64c9

    • SHA1

      1ddb926594ba1df0f1aad90902dac8b32e2395f9

    • SHA256

      fff7b49756b2b82efe6e3fa1544215dc4fd3ddd12869ad26f1cccc21a88c2079

    • SHA512

      9f281c7d15d782b190f9b79d57b44eef4061a0e5beb5c1848f4fa0a13750ec33e85230235be40f655c879c84afc451cef1a1079309cf3dc37a3b96784e0a2173

    • SSDEEP

      12288:jnPdlkh3ky/FJsTpew9f2A6swE7SXxJnKj2Hyi6i8XWDqCVHb9RvjOV4RqQQKY6u:7PdlfqUTVf2APwEevk2Hh6Um0v64RVN6

    Score
    10/10
    discoveryguloadervipkeyloggercollectiondownloaderkeyloggerspywarestealer

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      4add245d4ba34b04f213409bfe504c07

    • SHA1

      ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

    • SHA256

      9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

    • SHA512

      1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

    • SSDEEP

      192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks