Overview

overview

10

Static

static

3

4a. RFx-4045.exe

windows7-x64

7

4a. RFx-4045.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4a. RFx-4045.uu.rar

  • Size

    1.3MB

  • Sample

    250214-pnejgswqcw

  • MD5

    fc631f86823af8ea05901ad514f65303

  • SHA1

    84377ef433457f08dc632c3321278769e06c7615

  • SHA256

    a9c49bf5f524c64483f5e6f8bc12512f846b2cc3fd6677be9549f78fce81f1d1

  • SHA512

    88037cc00831991edf888867eaf61d6314929aec6e4b609a067cd9855d8e196763298a58a2fea456abf0227805ff6015a2ad4c74c55a19e016bff72304477434

  • SSDEEP

    24576:lhFyxnkBH84BXPz/drilAGWxlyAjf8R5OpFp8fdFl00:lDSkBc4hzMfWHdfAoj8ZX

Score
10/10
guloadervipkeyloggercollectiondiscoverydownloaderkeyloggerspywarestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      4a. RFx-4045.exe

    • Size

      1.4MB

    • MD5

      95ccf2bcd18e87a3386e71a5d09e75fe

    • SHA1

      79bbd13b8222d5a548a8b3539dcec954daf5d14f

    • SHA256

      7b676bf78d187d4d11cd10db0b8a31b908ee4d2a63556442da865d1c5aae2f22

    • SHA512

      88c5f95595d09a20752ff7f5aed8ab40be8dad92247ba5dd67e10c1b807a2e51c5d33bb408fa8ff6538f7a6fed4557dfee8e26a9d98411b5085dc902505b2ffe

    • SSDEEP

      24576:rtCtMYqSjjyxp8TehWCT2ldnvBw9mnAsrGMht2jLJ9Ks1y0dpvPccfZrpqXAYkJ2:rtCtJBKm7CKTvCZyGMht83Ks00LffeA8

    Score
    10/10
    discoveryguloadervipkeyloggercollectiondownloaderkeyloggerspywarestealer

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      fbe295e5a1acfbd0a6271898f885fe6a

    • SHA1

      d6d205922e61635472efb13c2bb92c9ac6cb96da

    • SHA256

      a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

    • SHA512

      2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

    • SSDEEP

      192:yPtkiQJr7V9r3Ftr87NfwXQ6whlgi62V7i77blbTc4DI:N7Vxr8IgLgi3sVc4

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks