Extracted

• • Target

    eed2e7dff36d375348140886713053ffd8c2860606f60bb81bf1770e77b76728.exe

  • Size

    840KB

  • MD5

    12890a85103f64f08b47ccd81f868c3a

  • SHA1

    a85731d37aaf5c9477c66f9ce7877c4833360ac8

  • SHA256

    eed2e7dff36d375348140886713053ffd8c2860606f60bb81bf1770e77b76728

  • SHA512

    0306fa0f3d3d7e9e7cad81ed650a23479271b1e3a90268594898f93ad345c96b0fcedee3d4ee4d80f33125312c4832043ce34d993224bac5256a0689dcc19426

  • SSDEEP

    12288:bkuXIHHuuaqL0TsoZ4cQdN1+JAjrkDU5jPZ6FTI6Nu1ZvKek:7XIHHuuaqL0TsoGcQP1+qvtFPZUvIj+

  Score

  10^/10

  discoveryexecutionvipkeyloggeradwarecollectionkeyloggerpersistenceprivilege_escalationstealer

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger

  • Vipkeylogger family

    vipkeylogger

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Downloads MZ/PE file

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Accesses Microsoft Outlook profiles

    collection

  • Blocklisted process makes network request

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Installs/modifies Browser Helper Object

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2

• • Target

    amagere.keh

  • Size

    53KB

  • MD5

    3b2ca5f40a0e7f7fbdc32a87bb02e158

  • SHA1

    cd2fcfdb6ea50615a6daf838a7fa5b4962179bf6

  • SHA256

    634e73dce86f61003118cc3d757424916f6a3b25bd39da332000de9e0b7943a4

  • SHA512

    e9b25363980cae6fc860ca32702ad1fae6469a42e79e038fd551a73032bde03c97e57d12cb02140be01bcb763eceaab58a4b9d780a7ab0a8f5dbf10ce7ba061d

  • SSDEEP

    1536:+AtG9ZyhFDBK2V4yHtPkdTiCYrKSwJ+acVSF:+AtjFDBb4yNPJDwEVM

  Score

  8^/10

  executiondiscoverypersistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Downloads MZ/PE file

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral3behavioral4