Overview

overview

10

Static

static

3

factura_24...00.exe

windows7-x64

7

factura_24...00.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

8

Sightfulness.ps1

windows7-x64

3

Sightfulness.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    factura_2404047141_2024-09-17T02_00.exe

  • Size

    686KB

  • Sample

    250217-lvjj8sxqe1

  • MD5

    5a38c30a54b3b6f72907b334a5ce8e1a

  • SHA1

    568a123c1b4b5f8b09aef5603c19ceccb4b54850

  • SHA256

    4a4bde620f7d6baf02442d09999d40123bfa471e99fcb53d3617132b678bb6cb

  • SHA512

    719f1b1c287eceefbd56ab5527fa2ba623941f53ae83364ad247b6b9a6572fe12135584dffee46e9959d544f44904d437c1bf1ca252186409bef41cd9de55b80

  • SSDEEP

    12288:7PCMC15K0rytFYPwzrjfa7LvgdtZ+/qb48R15Skemda90xTM:7CM8V+tuPmzaIdt4Ck8Lgkem1xQ

Score
10/10
vipkeyloggeradwarecollectiondiscoveryexecutionkeyloggerpersistenceprivilege_escalationstealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      factura_2404047141_2024-09-17T02_00.exe

    • Size

      686KB

    • MD5

      5a38c30a54b3b6f72907b334a5ce8e1a

    • SHA1

      568a123c1b4b5f8b09aef5603c19ceccb4b54850

    • SHA256

      4a4bde620f7d6baf02442d09999d40123bfa471e99fcb53d3617132b678bb6cb

    • SHA512

      719f1b1c287eceefbd56ab5527fa2ba623941f53ae83364ad247b6b9a6572fe12135584dffee46e9959d544f44904d437c1bf1ca252186409bef41cd9de55b80

    • SSDEEP

      12288:7PCMC15K0rytFYPwzrjfa7LvgdtZ+/qb48R15Skemda90xTM:7CM8V+tuPmzaIdt4Ck8Lgkem1xQ

    Score
    10/10
    discoveryexecutionvipkeyloggercollectionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      b5a1f9dc73e2944a388a61411bdd8c70

    • SHA1

      dc9b20df3f3810c2e81a0c54dea385704ba8bef7

    • SHA256

      288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

    • SHA512

      b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

    • SSDEEP

      96:p7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNQ3e:lXhHR0aTQN4gRHdMqJVgNH

    Score
    8/10
    discoveryadwarepersistenceprivilege_escalationstealer

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Drops file in System32 directory

    behavioral3behavioral4

    • Target

      Sightfulness.Att

    • Size

      51KB

    • MD5

      56df3fc2932793899317cfeb62d64449

    • SHA1

      f9b092b5a1b1a127390596c69c45025c920958fc

    • SHA256

      1ba02a55786e074d96e3fc4c252b9ec86d6c50b76121692680fde2b15881d4f2

    • SHA512

      834b1bba8777a8b766e3214861ac9fc4850edb76ff9d225e01d79656dd373c206a2782ff4853ccb0c13e4271ac00733de2c46ed23e470007b3e480e8ed04cb3c

    • SSDEEP

      1536:6VFbjdXj8k66WzJHjbDgYUpnZ3lZwb08G:SFb5okRWtHjbiZ/wgH

    Score
    8/10
    executiondiscoverypersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Browser Extensions

1
T1176

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

4
T1112

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks