Overview

overview

10

Static

static

3

Bronchoscopes.exe

windows7-x64

10

Bronchoscopes.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fc46d2f1ee0c658db2aa99663d211fbd04bfd5bffae328243065b42bbb1f2629

  • Size

    936KB

  • Sample

    250217-tbc74szpcn

  • MD5

    8ccc3cba537491f7059b535ccf30a7ad

  • SHA1

    469155aae0518bb54a8dbf01237930bdfa097034

  • SHA256

    fc46d2f1ee0c658db2aa99663d211fbd04bfd5bffae328243065b42bbb1f2629

  • SHA512

    f84f3ba0803221f9e5bd13e171abd745bda56023ae2a8f87d7aeb93c871b92890c222fbfa0203171203f033700188723442661cadbb6616f0f1da481fee02419

  • SSDEEP

    24576:qMxUKyPkyukuAVTmZGAb+361Wo8/dEI6jy9L7K1PgVh9xgU2IpWrbdGj:PxUls/6mZbosw/au9LcoVr2JGj

Score
10/10
guloadervipkeyloggercollectiondiscoverydownloaderkeyloggerspywarestealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot8172976107:AAH5CXqEBGFF-CK18VpImdWAW7U_9296FqY/sendMessage?chat_id=6885960134

Targets

    • Target

      Bronchoscopes.exe

    • Size

      993KB

    • MD5

      e8f5efe2bd32d94f83c8201f0e75de1f

    • SHA1

      fef6badc7eb0acacbce22768468b6aea1cd59ca0

    • SHA256

      1ef06d43a4c7f3a59f0829b20d820e0eae0da9bfd55eaa4269022d0228735d31

    • SHA512

      1b28b718c995383420e67fde4a7aafdbfcc1f10a0614bf3b6ca4648617cbbc28a97598be478923cdb664084f725a711ba4160d3b4d322b13584f197e0d6e4d99

    • SSDEEP

      24576:BGHfInLKDkeGPzR3MUzzUqi9Z7cuzNLrCP:4faLKEPN3MUXUqiT7Lk

    Score
    10/10
    guloadervipkeyloggerdiscoverydownloaderkeyloggerstealercollectionspyware

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      b853d5d2361ade731e33e882707efc34

    • SHA1

      c58b1aeabdf1cbb8334ef8797e7aceaa7a1cb6be

    • SHA256

      f0cd96e0b6e40f92ad1aa0efacde833bae807b92fca19bf062c1cf8acf29484b

    • SHA512

      8ea31d82ffa6f58dab5632fe72690d3a6db0be65aec85fc8a1f71626773c0974dcebefae17bcf67c4c56ef442545e985eea0b348ff6e4fc36740640092b08d69

    • SSDEEP

      192:eA2HS+ihg200uWz947Wzvxu6v0MI7JOde+Ij5Z77dslFsEf:mS62Gw947ExuGDI7J8EF7KIE

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks