Overview

overview

10

Static

static

3

justifican...ia.exe

windows7-x64

8

justifican...ia.exe

windows10-2004-x64

10

Capricorn4...er.ps1

windows7-x64

3

Capricorn4...er.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    justificante de transferencia.exe

  • Size

    837KB

  • Sample

    250214-hkab2awpf1

  • MD5

    f45658b16b50dcd644ec29a2fc716b3a

  • SHA1

    b8c94d4c6405e45a5e830480498df8f9c0f5c9f6

  • SHA256

    65977464bdb8e893c4ca76c1cc7a2a410aaf4533ca345a009f37246a0711875b

  • SHA512

    b34ff76bd10bfa1b112e06fbcd4ad082fdaef33d702538a22dcc5d80627fdc41ca9460f19f582bc932fcaac8d97c6cb8de86b9db93787170fabdaf49c8771781

  • SSDEEP

    12288:bkuXIHHuuo7A7A7oguiHU2azco+MCUIOCpRdGc4ZvKea:7XIHHuuo7R7oTiHUbzoGIOCr4cY8

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7688075474:AAFD0RRgEd3hJhNpHxFs4OWkLJUyvCWsJJg/sendMessage?chat_id=8026736155

Targets

    • Target

      justificante de transferencia.exe

    • Size

      837KB

    • MD5

      f45658b16b50dcd644ec29a2fc716b3a

    • SHA1

      b8c94d4c6405e45a5e830480498df8f9c0f5c9f6

    • SHA256

      65977464bdb8e893c4ca76c1cc7a2a410aaf4533ca345a009f37246a0711875b

    • SHA512

      b34ff76bd10bfa1b112e06fbcd4ad082fdaef33d702538a22dcc5d80627fdc41ca9460f19f582bc932fcaac8d97c6cb8de86b9db93787170fabdaf49c8771781

    • SSDEEP

      12288:bkuXIHHuuo7A7A7oguiHU2azco+MCUIOCpRdGc4ZvKea:7XIHHuuo7R7oTiHUbzoGIOCr4cY8

    Score
    10/10
    discoveryexecutionvipkeyloggercollectionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Downloads MZ/PE file

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Capricorn46/Smaakager.Nep

    • Size

      52KB

    • MD5

      e887e59c0f45446f5708524edd22e09f

    • SHA1

      0530bfca5e7911c425be41d276e697042e102132

    • SHA256

      2887ac9e3835ee2197cde04ee649f98d6372e24b05668c69062026a612c43ea3

    • SHA512

      2f1bb8a9e30666c7a8703e13ebe2e3b26d53e1d0759c02ec18ef6531b2aa0fea84e358aa364dcac01f2b17639ddfd71b92122fded579b41bd0531121dd52faba

    • SSDEEP

      1536:znLKmKmnI7jcQzSM43GM8C460L3vZnNajdOqmP:znLjKm5QzSMuG3L3BnNZ1

    Score
    8/10
    executiondiscoverypersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks