Extracted

• • Target

    Momskoden.exe

  • Size

    1.1MB

  • MD5

    2aa166a2719616ff7ac82aae31277dc5

  • SHA1

    dc700c6982137fb9f3cdd79b95a8539ebcc6841c

  • SHA256

    95292a0804f091e9b5f726378631f330ba1fa117d5465ded18baf8153cbdff8a

  • SHA512

    0bdb971d1f5c9e33c9800d14050a4933b613c42257129417d56aaf78bdf972b72619baccf84682a95f77cb11dd17cd4755c431a0b8fa60db64bff3cccbeec47c

  • SSDEEP

    24576:cV8omiiDPDeynqve96wbfqiPACOedfHYNXNHA6a:cV8PPDPqve93/ACOdHAp

  Score

  10^/10

  discoveryguloadervipkeyloggerdownloaderkeyloggerstealer

  • Guloader family

    guloader

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger

  • Vipkeylogger family

    vipkeylogger

  • Downloads MZ/PE file

  • Loads dropped DLL

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2

• • Target

    $PLUGINSDIR/System.dll

  • Size

    11KB

  • MD5

    34442e1e0c2870341df55e1b7b3cccdc

  • SHA1

    99b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c

  • SHA256

    269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1

  • SHA512

    4a8c57fb12997438b488b862f3fc9dc0f236e07bb47b2bce6053dcb03ac7ad171842f02ac749f02dda4719c681d186330524cd2953d33cb50854844e74b33d51

  • SSDEEP

    192:jPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4I:u7VpNo8gmOyRsVc4

  Score

  8^/10

  discovery

  • Downloads MZ/PE file

  behavioral3behavioral4