vipkeylogger

General

Target

a5aa4b11083783859e22483391d4838d59a7fc74ad991fe04293a0ffd6fc3340
Size

1.3MB
Sample

250220-scamyayps8
MD5

db69c1016d58a9954a5f685f9a84929b
SHA1

c60f2084bc3acd6595dd3447bf28f11ae13bfaea
SHA256

a5aa4b11083783859e22483391d4838d59a7fc74ad991fe04293a0ffd6fc3340
SHA512

46a24e3c0180a5d1c90fda9217fd15772736db68902cdf4be84bf627244ba8860e2a717a5288a1cbe18119868bb24a9e13b9bf9ef75bb40a25838e448d433f69
SSDEEP

24576:5HJfMI/LfYCUXUoyKTl0JaGylKpszXcksVRSM/Ui9o3Aqx1CN:fEqLfYtoOl/VSSMksjSFi9o3Aqq

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
smtp.ionos.fr
Port:
587
Username:
[email protected]
Password:
HSBcargo_22
Email To:
[email protected]

Targets

- Target
  
  JUSTIFICANTE DE PAGO.exe
- Size
  
  1.5MB
- MD5
  
  60243d8e1b0c3f14d047425916179b53
- SHA1
  
  e47e9975624180ce18e25bd9e95f5fe1302e0bb1
- SHA256
  
  4055a5793b4c9dfcd1b8b55be4fafe54c8c69147c37940fff5364fe6926381d5
- SHA512
  
  09878b1091db3e95820797ddb263f7a14567b20d4bf4d313917a38a2319de58a899594d86c5cdc990c3371a3340ec7a743b88d1c77e80c2cac99c3b74666d015
- SSDEEP
  
  24576:aMwM9cEYGiB/YRVk0c6Ph717SM5vw+WDC5InZ/L9GrsXpJzXo1AH9HBevK9Y9Ek:aMwQG/YRVk0DPhNSM9w+wCyig5JzXo1D
Score

10^/10

discovery execution vipkeylogger collection keylogger stealer
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  7KB
- MD5
  
  4c77a65bb121bb7f2910c1fa3cb38337
- SHA1
  
  94531e3c6255125c1a85653174737d275bc35838
- SHA256
  
  5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe
- SHA512
  
  df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04
- SSDEEP
  
  96:JXmkmwmHDqaRrlfAF4IUIqhmKv6vBckXK9wSBl8gvElHturnNQaSGYuHr2DCP:JAjRrlfA6Nv6eWIElNurnNQZGdHc
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  Illimitedness/Sprinkles.Omn
- Size
  
  52KB
- MD5
  
  8af5055352f12b4e6f2465fbc1458cf5
- SHA1
  
  599607120702949b986bfe936d627470c81f048c
- SHA256
  
  59f4336f613f08e0183095b710765d0d696428c5a91f3071b094453f38d94655
- SHA512
  
  340ee325a8c1e66b65d036bf5f2008dfe16d2999cf61ab9bc2f86ff13e53adbe041b31a4f6a97ea050eb7315d544eb3232309325db274e42ad6b2261571d60ea
- SSDEEP
  
  768:83Q0pbh7YFuPhyUxbEB9mexUhIN7GEPjC6GqrrFJbsl/hTpbmgG7pMtloKF6Hxfr:83Q4ZYIPPgFx7xjC6/LQyVpYUJRia
Score

8^/10

execution persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral5 behavioral6