Overview

overview

10

Static

static

3

JUSTIFICAN...IA.exe

windows7-x64

7

JUSTIFICAN...IA.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

8

Spenderende.ps1

windows7-x64

3

Spenderende.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JUSTIFICANTEDETRANSFERENCIA.exe

  • Size

    663KB

  • Sample

    250217-pdp78symgl

  • MD5

    8f1a27ff7db3072c7f430280163c75ef

  • SHA1

    b422d8f3aef50c91e6f7ce51a9d9401f34c96762

  • SHA256

    8bfd788dcf61676b05f3c70f1641d769311121dc181c923f20407d00b15d9a56

  • SHA512

    6a3eaf4bcceadd2cfa99e95bcab34778003ffe7450502727e4e24c594f339b066aed154bdaea62286bc4e838c244a14e4aa4505e6c4046b5d0845979ee84d8a9

  • SSDEEP

    12288:7PCMC15K0rytq1sPAZNHOsariPxkXZ3Aka+R15Skemda90xTB:7CM8V+tsZNHXariPxkX+kDLgkem1xV

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      JUSTIFICANTEDETRANSFERENCIA.exe

    • Size

      663KB

    • MD5

      8f1a27ff7db3072c7f430280163c75ef

    • SHA1

      b422d8f3aef50c91e6f7ce51a9d9401f34c96762

    • SHA256

      8bfd788dcf61676b05f3c70f1641d769311121dc181c923f20407d00b15d9a56

    • SHA512

      6a3eaf4bcceadd2cfa99e95bcab34778003ffe7450502727e4e24c594f339b066aed154bdaea62286bc4e838c244a14e4aa4505e6c4046b5d0845979ee84d8a9

    • SSDEEP

      12288:7PCMC15K0rytq1sPAZNHOsariPxkXZ3Aka+R15Skemda90xTB:7CM8V+tsZNHXariPxkX+kDLgkem1xV

    Score
    10/10
    discoveryexecutionvipkeyloggercollectionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      b5a1f9dc73e2944a388a61411bdd8c70

    • SHA1

      dc9b20df3f3810c2e81a0c54dea385704ba8bef7

    • SHA256

      288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

    • SHA512

      b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

    • SSDEEP

      96:p7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNQ3e:lXhHR0aTQN4gRHdMqJVgNH

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral3behavioral4

    • Target

      Spenderende.Qui

    • Size

      54KB

    • MD5

      cf9dc16531d6806fd98c4f0399ed4fd6

    • SHA1

      f99e95bac3882f753808e211897f23ae9a6c0727

    • SHA256

      9ae752b6bb7019dcb0381805c45e0cd61a6ed571442611e38334880787d11683

    • SHA512

      f0552dd0f7d29ba8a3e130a072a04f7aa6ce2b4c35c493c2b8233727409101787715ed2f2f1365cef782458ab09166daa1980c93609afc5adcb995e499fc8088

    • SSDEEP

      1536:FTtM4R16eKiC2MkIrUZZADIxX6PWD9qefc/ruS:FC0KwMkl3x+XuS

    Score
    8/10
    executiondiscoverypersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks