Overview

overview

10

Static

static

3

BugSplat64.dll

windows7-x64

10

BugSplat64.dll

windows10-2004-x64

10

PO202501B.exe

windows7-x64

10

PO202501B.exe

windows10-2004-x64

10

vcruntime140.dll

windows7-x64

1

vcruntime140.dll

windows10-2004-x64

8

vcruntime140_1.dll

windows7-x64

1

vcruntime140_1.dll

windows10-2004-x64

8

vcruntime211.dll

windows7-x64

1

vcruntime211.dll

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO202501B.zip

  • Size

    2.6MB

  • Sample

    250215-mb3z7sxrbq

  • MD5

    35b0df25976ae1b2ed2eb64ce4967e09

  • SHA1

    24c06b8a23e0189f57b0df8af06c25374a10c51b

  • SHA256

    58d95f19639cc6d5acb02511b4c9a8fe04ca63d63844b68036dbc0eea4edd453

  • SHA512

    8e4acedcbaebf88e1dd004b4d89f33b9faefe0aec0c09ffe011a0d436ccfa498d8b8d69a5a4cfd1ded5a7a5e7c647d513f05300a05922c74bdaad42e55ea920f

  • SSDEEP

    49152:N01cBpjDsibTtExdGCot6tkm5xBQ/UhXJOhafW5+KhcZxWIu8JIltW1+:NjXjwijCot6tkmq/8JOhafYhSxdu8u

Score
10/10
vipkeyloggeradwarecollectiondiscoverykeyloggerpersistenceprivilege_escalationstealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    webmail.tropicnet.com.au
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Millymoo!@#

Targets

    • Target

      BugSplat64.dll

    • Size

      4.5MB

    • MD5

      dbf393cb8382e127c0008d51a135e8b8

    • SHA1

      1c3210ac7e1ca2026b5ab91299e5d7b56813d115

    • SHA256

      b611edd23fc7313e409a4538752a6bfd274cc79b4b87a8700c39fbdc223deb87

    • SHA512

      4339fa259ba6a7488af2508968ae8e62cd7c0c9c7d5c7f1022f4e0ca30d87e4ffd78c77b6483a8afd944e7609740ecdc3edc6e698c0ed9bc3412549dc9589cf5

    • SSDEEP

      49152:kRamKgxNsrgLIEdPGU9ZHfh6wZrzj81gRUaGJSA9g+CSIBGKKBUMPmPrbrzme1YL:jmK0srWlhpmSA9g3rrrA

    Score
    10/10
    vipkeyloggercollectiondiscoverykeyloggerstealeradwarepersistenceprivilege_escalation

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      PO202501B.exe

    • Size

      255KB

    • MD5

      2a39ab7049226dec986fa602a26f5372

    • SHA1

      f0baf3b4f1dbcc6dd21e6f1279c741c0051c03cc

    • SHA256

      ad4cd780bd7accd7482dcf6222910aafee971c7ab870ebae0022d51b237fa5cb

    • SHA512

      5190d06d07b72f8ebaf326b6c0fcd85963afe598be499afee11881905ded944b58829a6ddc85a94f75621e5936496e151a1d8b4b96d12d38148a1f256841dafa

    • SSDEEP

      6144:WIaCAK/UGjgTPD/CRe4GvTS8w9hzc9ap+zGj:hz7KmH9tp1

    Score
    10/10
    vipkeyloggercollectiondiscoverykeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Downloads MZ/PE file

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      vcruntime140.dll

    • Size

      84KB

    • MD5

      3e746699828f9e9aab45b8f1c3cea4a1

    • SHA1

      5ba84f26e47670c865e21e3303a28e54608475d3

    • SHA256

      de6ca787d0e0a30810fea570db867199d32ed71867e1c36a0f58ed71d540f035

    • SHA512

      ecc2c06a96661f063bbce91c5a7239e24aae3a5924ebb8773cef3d9e1d332959612bd052991ace98700d25912266ee39ee93ab623befd20f548d62f451426218

    • SSDEEP

      1536:ca0fOoqCbITyAAAmYIihE7Ka8maPKMOB0Fc2/ecbQ7qdWdi/phl:cnTbuyAzhphgLcBOGFxecbQ7qSi/t

    Score
    8/10
    adwarediscoverypersistenceprivilege_escalationstealer

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Drops file in System32 directory

    behavioral5behavioral6

    • Target

      vcruntime140_1.dll

    • Size

      35KB

    • MD5

      f124d735ebff3330b5b6cfa7df1c17be

    • SHA1

      ad9cba122a47a4be8c3ec3ac6ce2d920f7e40baa

    • SHA256

      d34288fcb286d4e2056f969767a65f09cf6e71ad27fe3af4edd1584cd95fd55f

    • SHA512

      e5f1fd40b28861f3f7e5851e47b60a3035216129e0491f112e8ebc4dacd4c890a06caead8aa7d4ae7b64bd2b0c08e1ba17bad924534fcedec406895ca8af8c09

    • SSDEEP

      384:lbPvL6j8qS3RZ0IQ8tq7+B5Wjfy4hGCrNWrSVbWENXfGj5y85xIam4WrNNW7QHRV:BvGj8qSBoEiy4hvCsjNveIamvW8JuW

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral7behavioral8

    • Target

      vcruntime211.dll

    • Size

      370KB

    • MD5

      c982637d4aef31b1601b7b514b2c8c0e

    • SHA1

      e39b8808652bf18fcb5acaf95a3eb30e6dfca7fe

    • SHA256

      1c9ac2b15cf274154a7c2fcc881f01762fc5e863c4c2889a7c0140b00fb4298d

    • SHA512

      c2617c0157b8f4e8d0bf22f44556fe0239c8b25b8088d618c4616d6e4333a0bcaf0fe319e74151f1e95000fd6d3d4139e73395ea852b42a114a852167a1a1f9a

    • SSDEEP

      6144:TR6TkMuEHjtF5x5eABTmTugfvrYQtNS2NlQ+Jv3+x4pmipLzKOpVVRDDYX:TR6TkMuEHjtF5x5uuO9TXUypxHp1QX

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral10behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Browser Extensions

1
T1176

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

4
T1112

Credential Access

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks