Overview

overview

10

Static

static

3

factura_24...00.exe

windows7-x64

7

factura_24...00.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

8

Sightfulness.ps1

windows7-x64

3

Sightfulness.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    factura_2404047141_2024-09-17T02_00.exe

  • Size

    686KB

  • Sample

    250217-l1pcnsxrbl

  • MD5

    5a38c30a54b3b6f72907b334a5ce8e1a

  • SHA1

    568a123c1b4b5f8b09aef5603c19ceccb4b54850

  • SHA256

    4a4bde620f7d6baf02442d09999d40123bfa471e99fcb53d3617132b678bb6cb

  • SHA512

    719f1b1c287eceefbd56ab5527fa2ba623941f53ae83364ad247b6b9a6572fe12135584dffee46e9959d544f44904d437c1bf1ca252186409bef41cd9de55b80

  • SSDEEP

    12288:7PCMC15K0rytFYPwzrjfa7LvgdtZ+/qb48R15Skemda90xTM:7CM8V+tuPmzaIdt4Ck8Lgkem1xQ

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      factura_2404047141_2024-09-17T02_00.exe

    • Size

      686KB

    • MD5

      5a38c30a54b3b6f72907b334a5ce8e1a

    • SHA1

      568a123c1b4b5f8b09aef5603c19ceccb4b54850

    • SHA256

      4a4bde620f7d6baf02442d09999d40123bfa471e99fcb53d3617132b678bb6cb

    • SHA512

      719f1b1c287eceefbd56ab5527fa2ba623941f53ae83364ad247b6b9a6572fe12135584dffee46e9959d544f44904d437c1bf1ca252186409bef41cd9de55b80

    • SSDEEP

      12288:7PCMC15K0rytFYPwzrjfa7LvgdtZ+/qb48R15Skemda90xTM:7CM8V+tuPmzaIdt4Ck8Lgkem1xQ

    Score
    10/10
    discoveryexecutionvipkeyloggercollectionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      b5a1f9dc73e2944a388a61411bdd8c70

    • SHA1

      dc9b20df3f3810c2e81a0c54dea385704ba8bef7

    • SHA256

      288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

    • SHA512

      b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

    • SSDEEP

      96:p7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNQ3e:lXhHR0aTQN4gRHdMqJVgNH

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral3behavioral4

    • Target

      Sightfulness.Att

    • Size

      51KB

    • MD5

      56df3fc2932793899317cfeb62d64449

    • SHA1

      f9b092b5a1b1a127390596c69c45025c920958fc

    • SHA256

      1ba02a55786e074d96e3fc4c252b9ec86d6c50b76121692680fde2b15881d4f2

    • SHA512

      834b1bba8777a8b766e3214861ac9fc4850edb76ff9d225e01d79656dd373c206a2782ff4853ccb0c13e4271ac00733de2c46ed23e470007b3e480e8ed04cb3c

    • SSDEEP

      1536:6VFbjdXj8k66WzJHjbDgYUpnZ3lZwb08G:SFb5okRWtHjbiZ/wgH

    Score
    8/10
    executiondiscoverypersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks