Overview

overview

10

Static

static

3

presupuest...te.exe

windows7-x64

10

presupuest...te.exe

windows10-2004-x64

10

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

8

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    presupuestourgente.exe

  • Size

    620KB

  • Sample

    250213-pjxjhaykbt

  • MD5

    0699d1cef89f6a68b1a751df81ca57d7

  • SHA1

    babd83e5b5bba31dc53a97b93042fd82732d5f53

  • SHA256

    29609f09ad62c2c32ca641e535076dfa6ce094412eca7e54ab5460096b44f9db

  • SHA512

    5518124c13021a41e1bc6a97ed8f6054fe9356eb8dc229de01de299f2ebbd7abfd72a9461f6c91bf5f3214a6ecea70cc932f35f959d2e31d1d46d59aad3a78f4

  • SSDEEP

    12288:ZhqqxfqTewx8s2s5Y8LP7+VJWZl85osgsJlFLtAKXQo:ZMCqeW8TyLjUWZl82+JlFZAKgo

Score
10/10
guloadervipkeyloggerdiscoverydownloaderkeyloggerstealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7809789609:AAFDhXsYPyaTrfKRHK3WeoYjI2bc1kwou_A/sendMessage?chat_id=7018410926

Targets

    • Target

      presupuestourgente.exe

    • Size

      620KB

    • MD5

      0699d1cef89f6a68b1a751df81ca57d7

    • SHA1

      babd83e5b5bba31dc53a97b93042fd82732d5f53

    • SHA256

      29609f09ad62c2c32ca641e535076dfa6ce094412eca7e54ab5460096b44f9db

    • SHA512

      5518124c13021a41e1bc6a97ed8f6054fe9356eb8dc229de01de299f2ebbd7abfd72a9461f6c91bf5f3214a6ecea70cc932f35f959d2e31d1d46d59aad3a78f4

    • SSDEEP

      12288:ZhqqxfqTewx8s2s5Y8LP7+VJWZl85osgsJlFLtAKXQo:ZMCqeW8TyLjUWZl82+JlFZAKgo

    Score
    10/10
    guloadervipkeyloggerdiscoverydownloaderkeyloggerstealer

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/LangDLL.dll

    • Size

      5KB

    • MD5

      7af1e33d85459fbd2cf7ef29d7528e9e

    • SHA1

      8a90d81eeabd6886e5b5985d3d10e3f435ccf00d

    • SHA256

      958b118ec87610f25232eb6257168bdbbf210cf2511bf38fb54bf4ffc908abb2

    • SHA512

      1aa61538a5fec5bb27dca4305f4b856446e032321f55f26c5e949bb125220a4c319c51c2050697cda6c39ba784eaf2f041ee742f57d3e2e8a6e9f6ec96007145

    • SSDEEP

      48:im1esjq8W2MPUptuMMFvx/om/ycNSCwVGfOY0vB6/JvR0Jjof5d2D:F12Bl91Z7/ycNSCwV8TLZR0wd2

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral3behavioral4

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      375e8a08471dc6f85f3828488b1147b3

    • SHA1

      1941484ac710fc301a7d31d6f1345e32a21546af

    • SHA256

      4c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78

    • SHA512

      5ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8

    • SSDEEP

      192:MPtkumJX7zB22kGwfy0mtVgkCPOs91un:9702k5qpds9Qn

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks