vipkeylogger

General

Target

286613912fd0a6bf8e409ad00bc6120614661205b17a4bd9a1001d6572d034ea.exe
Size

486KB
Sample

250218-crnkcawkay
MD5

35f728212663760f57ea43bdb0b40261
SHA1

d5537d0bb84dcfc3e4648e731be4ab8c0030ebe9
SHA256

286613912fd0a6bf8e409ad00bc6120614661205b17a4bd9a1001d6572d034ea
SHA512

e71fd759efe9b3875ebdf967928faae7fd50e18312676792ce6f444d0ec8fb9d6cadde9e94820cc134d37eb92f5b6cbebb4fd2bf8fa835d6b7f7da2f8d122c7d
SSDEEP

12288:ss5Ih2dOP+4QgEyachltlR1i8C8M6AFYM/cBCLousN3fjAmBmwx:ss6+4rRach/1i8PUBcB73fjAAmwx

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.viajesreina.com
Port:
587
Username:
[email protected]
Password:
Nyxe5~69
Email To:
[email protected]

Targets

- Target
  
  286613912fd0a6bf8e409ad00bc6120614661205b17a4bd9a1001d6572d034ea.exe
- Size
  
  486KB
- MD5
  
  35f728212663760f57ea43bdb0b40261
- SHA1
  
  d5537d0bb84dcfc3e4648e731be4ab8c0030ebe9
- SHA256
  
  286613912fd0a6bf8e409ad00bc6120614661205b17a4bd9a1001d6572d034ea
- SHA512
  
  e71fd759efe9b3875ebdf967928faae7fd50e18312676792ce6f444d0ec8fb9d6cadde9e94820cc134d37eb92f5b6cbebb4fd2bf8fa835d6b7f7da2f8d122c7d
- SSDEEP
  
  12288:ss5Ih2dOP+4QgEyachltlR1i8C8M6AFYM/cBCLousN3fjAmBmwx:ss6+4rRach/1i8PUBcB73fjAAmwx
Score

10^/10

discovery execution vipkeylogger collection keylogger stealer
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Accesses Microsoft Outlook profiles
  collection
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Thysanopteron.mel
- Size
  
  52KB
- MD5
  
  43860ed7f681f502ab5b4a99e59833de
- SHA1
  
  70189257704b449a6b3b1303cbbd68e60f8f9fac
- SHA256
  
  9f65609cbc60020021c363f0221d4b1ea83c4eabebec58341a71bf34cfd385f7
- SHA512
  
  20b286626715d314dbc746aa50c16aafb483885d5825f2315abcad7a52f0483a5c9a5e40d08d35d8cefbb973e93ec52a2f56f6beab5756bb7504293c388e429c
- SSDEEP
  
  768:tdqnwCyzUqfGxT864iAp+m+uMoBJKOTJu9TB5SjljUtmg1u7ogVNhtvUOZdXzdaK:nQU4qfGxTohPXZETBojucbT/BEYZu7U
Score

8^/10

execution persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4