General
-
Target
903d7920fc4c1dcb1523012750db17bc87a36f80801c299b9230c309bb7e0150.exe
-
Size
1.2MB
-
Sample
250213-gbwcgatrht
-
MD5
1a4ed0a8fcb78acc5ada116e41d321e8
-
SHA1
4c4dff7b48b147c161a7cc0c9376647d69af30f7
-
SHA256
903d7920fc4c1dcb1523012750db17bc87a36f80801c299b9230c309bb7e0150
-
SHA512
f91a0488fde6d4b47eb595b1a89d5f8f1661d0bedc315eb98e2f88259a7f84f69f2737a5764665069f4a838cb5701d883a7854032767ed938e5c2399c924a372
-
SSDEEP
24576:AP885sNkJaSjGMdsRyBoaWrzAk2LIP4ylsjM3NVzyYTjMS:v9kYoGfmof4k2o4RjMXDTjMS
Static task
static1
Behavioral task
behavioral1
Sample
903d7920fc4c1dcb1523012750db17bc87a36f80801c299b9230c309bb7e0150.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
903d7920fc4c1dcb1523012750db17bc87a36f80801c299b9230c309bb7e0150.exe
Resource
win10v2004-20250211-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20250211-en
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7985048972:AAETw71DlbcHqzvtl1F1nkzl_0aMbnCis_c/sendMessage?chat_id=7794818739
Targets
-
-
Target
903d7920fc4c1dcb1523012750db17bc87a36f80801c299b9230c309bb7e0150.exe
-
Size
1.2MB
-
MD5
1a4ed0a8fcb78acc5ada116e41d321e8
-
SHA1
4c4dff7b48b147c161a7cc0c9376647d69af30f7
-
SHA256
903d7920fc4c1dcb1523012750db17bc87a36f80801c299b9230c309bb7e0150
-
SHA512
f91a0488fde6d4b47eb595b1a89d5f8f1661d0bedc315eb98e2f88259a7f84f69f2737a5764665069f4a838cb5701d883a7854032767ed938e5c2399c924a372
-
SSDEEP
24576:AP885sNkJaSjGMdsRyBoaWrzAk2LIP4ylsjM3NVzyYTjMS:v9kYoGfmof4k2o4RjMXDTjMS
-
Guloader family
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
cf85183b87314359488b850f9e97a698
-
SHA1
6b6c790037eec7ebea4d05590359cb4473f19aea
-
SHA256
3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac
-
SHA512
fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b
-
SSDEEP
96:3IsUxO9udx4qYp7AJb76BykUbQMtHUOA5Iv+RnsrqeXV+d1g2IW9t2c+cEwF9oug:YVL7ikJb76BQUoUm+RnyXVYO2RvHoug
Score8/10-
Downloads MZ/PE file
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2