Overview

overview

10

Static

static

3

56782432-PDF.exe

windows7-x64

7

56782432-PDF.exe

windows10-2004-x64

10

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

8

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    56782432-PDF.exe

  • Size

    950KB

  • Sample

    250213-w4fvta1pcq

  • MD5

    8f9400d7a210e0a2cf2a41d15de8fd6b

  • SHA1

    d924e0d9aff0c1b05503471f1e736d486dee3c38

  • SHA256

    138a36795ca9c61518ddb0b7ecb1ddcb91ea1903902e34cac726fad3ba34cd6c

  • SHA512

    fff5eeb5834e8eac393483f962b1957e2bfb21f2fa3de425fe89fac63e6125e1a9fad5921fb5753f4117318781c5f5bf61673294160d248ccb919150280ddd4d

  • SSDEEP

    24576:8s2NlX6adX9pJMOKpfWmVRpkVoJfCMoU8Z1A4:glX6aR9QJW8lCLU8ZC4

Score
10/10
guloadervipkeyloggercollectiondiscoverydownloaderkeyloggerspywarestealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7820268445:AAEZfSmLuus_dNt5ZwkUPVcXMdXXvZqhlMU/sendMessage?chat_id=8015582084

Targets

    • Target

      56782432-PDF.exe

    • Size

      950KB

    • MD5

      8f9400d7a210e0a2cf2a41d15de8fd6b

    • SHA1

      d924e0d9aff0c1b05503471f1e736d486dee3c38

    • SHA256

      138a36795ca9c61518ddb0b7ecb1ddcb91ea1903902e34cac726fad3ba34cd6c

    • SHA512

      fff5eeb5834e8eac393483f962b1957e2bfb21f2fa3de425fe89fac63e6125e1a9fad5921fb5753f4117318781c5f5bf61673294160d248ccb919150280ddd4d

    • SSDEEP

      24576:8s2NlX6adX9pJMOKpfWmVRpkVoJfCMoU8Z1A4:glX6aR9QJW8lCLU8ZC4

    Score
    10/10
    discoveryguloadervipkeyloggercollectiondownloaderkeyloggerspywarestealer

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/LangDLL.dll

    • Size

      5KB

    • MD5

      b21a3377e66b941df6d5b7cf8ba7a43a

    • SHA1

      e7ed27fce2db9cdc11ca3c640806731dcef3864a

    • SHA256

      ba46a03088f690ce966043f49761ff3a3a0dca236160794de841dfecc3588d1e

    • SHA512

      f011a824c0ff7f87c6da112898f4afc87e12c5b39fb40ffcc0955012e79a4302597d892224b3b47e8143480605c73275d3799d6d2000cdf179c2912241f86916

    • SSDEEP

      48:im1YEhqneMPUptuMMNvimk2BAZuMTRCpYEvJdUJvR0Jsof5dwe:F1apl9NLBAZuYtR0/d

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral3behavioral4

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      792b6f86e296d3904285b2bf67ccd7e0

    • SHA1

      966b16f84697552747e0ddd19a4ba8ab5083af31

    • SHA256

      c7a20bcaa0197aedddc8e4797bbb33fdf70d980f5e83c203d148121c2106d917

    • SHA512

      97edc3410b88ca31abc0af0324258d2b59127047810947d0fb5e7e12957db34d206ffd70a0456add3a26b0546643ff0234124b08423c2c9ffe9bdec6eb210f2c

    • SSDEEP

      192:rFiQJ771Jt17C8F1A5xjGNNvgFOiLb7lrT/L93:X71Jt48F2eNvgFF/L

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks