Overview

overview

10

Static

static

3

DHLAWBDocu...df.exe

windows7-x64

10

DHLAWBDocu...df.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DHLAWBDocument_pdf.exe

  • Size

    696KB

  • Sample

    250218-hpga5szkz6

  • MD5

    0aeea57a56be2f86535e0809c6cd55d5

  • SHA1

    3f7e6a4ed823c699c6a18793ed8b18c97c620973

  • SHA256

    14b6341a024dfec538f97f5a3b11efbbc056863ea18eefe58822cd81e81ea09d

  • SHA512

    a68c5af239924f89090e3feec220e0ea1af99a169bbc9c712c43e8154aad754024d830bd58b716f50a245d27dd0f1ca4d44fba217e4b63d3aaea7cc6cca09370

  • SSDEEP

    12288:0Lx0wMMZg3uMgRJv47/qrsm3N1pY+1fgUCytb0OmL2H8tEB2LyO:0LTZgezfvMlmNP1YLZOmq8KALr

Score
10/10
guloadervipkeyloggercollectiondiscoverydownloaderkeyloggerspywarestealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot8001354238:AAGn34Kjnx6tMx7mYU1z9kHME3Ora_fTuPc/sendMessage?chat_id=5100996224

Targets

    • Target

      DHLAWBDocument_pdf.exe

    • Size

      696KB

    • MD5

      0aeea57a56be2f86535e0809c6cd55d5

    • SHA1

      3f7e6a4ed823c699c6a18793ed8b18c97c620973

    • SHA256

      14b6341a024dfec538f97f5a3b11efbbc056863ea18eefe58822cd81e81ea09d

    • SHA512

      a68c5af239924f89090e3feec220e0ea1af99a169bbc9c712c43e8154aad754024d830bd58b716f50a245d27dd0f1ca4d44fba217e4b63d3aaea7cc6cca09370

    • SSDEEP

      12288:0Lx0wMMZg3uMgRJv47/qrsm3N1pY+1fgUCytb0OmL2H8tEB2LyO:0LTZgezfvMlmNP1YLZOmq8KALr

    Score
    10/10
    guloadervipkeyloggerdiscoverydownloaderkeyloggerstealercollectionspyware

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      b8992e497d57001ddf100f9c397fcef5

    • SHA1

      e26ddf101a2ec5027975d2909306457c6f61cfbd

    • SHA256

      98bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b

    • SHA512

      8823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c

    • SSDEEP

      192:PPtkumJX7zB22kGwfy0mtVgkCPOs81un:E702k5qpds8Qn

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks