Overview

overview

10

Static

static

3

5a7464bcc4...58.exe

windows7-x64

7

5a7464bcc4...58.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Oplagringers.ps1

windows7-x64

3

Oplagringers.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5a7464bcc4660ebad26abdbb13c3a20c28b11d11b2a03c9b26b09c73f89b4a58.exe

  • Size

    616KB

  • Sample

    250219-ekpj6swqaz

  • MD5

    d22d9212a0c0f8f3d45689c1161da1b2

  • SHA1

    381e5444e3e5bfa0ecf3eafeaa4e02b15f0c370e

  • SHA256

    5a7464bcc4660ebad26abdbb13c3a20c28b11d11b2a03c9b26b09c73f89b4a58

  • SHA512

    fdd7fccc65d4cb04b3999322c907708dea0615f1435ccce076a63a3ac4e50d950f5b1eab0758e72d0e702f04e6045093814ff5f4c573a4e3c9c58b208869aacd

  • SSDEEP

    12288:vg2VsqLvsk/6SqKDJk8d+WRtsK/5uJWev4XOqepjOEAGQjW:vg2V1L0kCItphleQXwFrfEW

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      5a7464bcc4660ebad26abdbb13c3a20c28b11d11b2a03c9b26b09c73f89b4a58.exe

    • Size

      616KB

    • MD5

      d22d9212a0c0f8f3d45689c1161da1b2

    • SHA1

      381e5444e3e5bfa0ecf3eafeaa4e02b15f0c370e

    • SHA256

      5a7464bcc4660ebad26abdbb13c3a20c28b11d11b2a03c9b26b09c73f89b4a58

    • SHA512

      fdd7fccc65d4cb04b3999322c907708dea0615f1435ccce076a63a3ac4e50d950f5b1eab0758e72d0e702f04e6045093814ff5f4c573a4e3c9c58b208869aacd

    • SSDEEP

      12288:vg2VsqLvsk/6SqKDJk8d+WRtsK/5uJWev4XOqepjOEAGQjW:vg2V1L0kCItphleQXwFrfEW

    Score
    10/10
    discoveryexecutionvipkeyloggercollectionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      7KB

    • MD5

      4c77a65bb121bb7f2910c1fa3cb38337

    • SHA1

      94531e3c6255125c1a85653174737d275bc35838

    • SHA256

      5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

    • SHA512

      df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

    • SSDEEP

      96:JXmkmwmHDqaRrlfAF4IUIqhmKv6vBckXK9wSBl8gvElHturnNQaSGYuHr2DCP:JAjRrlfA6Nv6eWIElNurnNQZGdHc

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      Oplagringers.Sti

    • Size

      56KB

    • MD5

      172a2e725c31a9307f57fc521e7db52d

    • SHA1

      98fc978b17e9cbd62f0895c78b73b71ef4fdbe6c

    • SHA256

      2d21ee452d6ec7e69fba3feb7ac2f84e221291e6759b262ab2153012bf0d9b73

    • SHA512

      5ebf7f94006c3f3dab1e7096c29793b10284507f9324a47926c3b06a1e083a1e011235a60e53a7744f344f0ffdb755db8ebfbe91f8ceb21aabbdc16f7496649d

    • SSDEEP

      1536:NHVu3SIUVtXXibggDjQ7yKB/kZqaoClCpbODr:NHVuidVxibggAGKBsZqPMCKr

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks