Overview

overview

10

Static

static

3

Swift Copy...25.exe

windows7-x64

10

Swift Copy...25.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    584f3ede58a3778e34bb8465ed77cf081eb5be1327327afc68d34fa5fb8c975b.rar

  • Size

    932KB

  • Sample

    250219-ejgg6syly6

  • MD5

    533192f31c24d7f18e145b6cb6ca0c15

  • SHA1

    a2a9130b6609a4e8007fb5ce594c6c2f677f5b52

  • SHA256

    584f3ede58a3778e34bb8465ed77cf081eb5be1327327afc68d34fa5fb8c975b

  • SHA512

    1b45b6f5de977ed3dab7114b30d2258ecdce0eb7658ff89b8851b318a628cb4404efed6392ad87aefdaee398a15b5d13712bcac4b4194ea1abf79bf7a4b7cfec

  • SSDEEP

    24576:uDX5hicOPwyYNwF923VnB2zzxVKAhbu/YhRXcOobXVzZMBtJuE:urK/wFNwFSnUJXZwYHeBVMDJuE

Score
10/10
guloadervipkeyloggercollectiondiscoverydownloaderkeyloggerspywarestealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7868872251:AAGgFQ9Bkl4sqj91n2vPKSuoyNLVzJTqODY/sendMessage?chat_id=8173633564

Targets

    • Target

      Swift Copy_18.02.2025.exe

    • Size

      990KB

    • MD5

      4a1f527399836a20e0c648007bd75c4f

    • SHA1

      2155f638fc81a0ff83da6dbd57375ff7bb22d09e

    • SHA256

      151e5e6525dafef00671528a54c639918f7598b0d0b36fa2de0bc92db585e7b1

    • SHA512

      73170e38024e8658cf20a99106eef0bf2052d27c97fa871dfdac744e51f24f06cf9d2ad1cfe3ef7888128be552b72e429ab77b766109fe9c855856f830a7f39e

    • SSDEEP

      24576:pG9BmJnN9a01Y2EiqFjIVkUINdOko/vrP:mBmJN9a0y3iqFEVHIN3oHrP

    Score
    10/10
    guloadervipkeyloggerdiscoverydownloaderkeyloggerstealercollectionspyware

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      b853d5d2361ade731e33e882707efc34

    • SHA1

      c58b1aeabdf1cbb8334ef8797e7aceaa7a1cb6be

    • SHA256

      f0cd96e0b6e40f92ad1aa0efacde833bae807b92fca19bf062c1cf8acf29484b

    • SHA512

      8ea31d82ffa6f58dab5632fe72690d3a6db0be65aec85fc8a1f71626773c0974dcebefae17bcf67c4c56ef442545e985eea0b348ff6e4fc36740640092b08d69

    • SSDEEP

      192:eA2HS+ihg200uWz947Wzvxu6v0MI7JOde+Ij5Z77dslFsEf:mS62Gw947ExuGDI7J8EF7KIE

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks