Overview

overview

10

Static

static

3

factura pendiente.exe

windows7-x64

7

factura pendiente.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Feedbag/Re...ng.ps1

windows7-x64

3

Feedbag/Re...ng.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    nfactura_pendiente.tar

  • Size

    1.3MB

  • Sample

    250220-tw7x8ayqfp

  • MD5

    5bc6dfaae47e1a148e6767ce20c118e5

  • SHA1

    80061baeb43114ec3c242f9984d9814ef5637f10

  • SHA256

    a08ee7cb3c65fd01dc498000358f9f9ef844bcd3c9270a0a47dd65b6ca59b78a

  • SHA512

    e32fd134cc4f05827aaa8ddb17032675a5ce56e1a5fbc8a4c7aed6c0c4fe9cafc082d33f4b23391e17bda7e70b83431df03b6e4a7a50a8bd19c16e2a7f36b082

  • SSDEEP

    24576:KuIms3YBqyg6Nalm7NPBRDqgHcgWWdW5mdynf6k2LaaORPH/UGXrqCUm:KOo4P7NLOg8gjRynfcERf/hmCUm

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7976785364:AAG01E14p5lnc2jDViau5TEAhyIxlJZ0CRE/sendMessage?chat_id=7804674933

Targets

    • Target

      factura pendiente.exe

    • Size

      1.5MB

    • MD5

      4ec8b156fddfcd481f70148c00f18265

    • SHA1

      e19d33d3a778036d61e3f4139d266a5308f3ba2f

    • SHA256

      7e2c94cf14e1497fa7d624292dd44204ad506de3d8d71e084870735fa8f8c164

    • SHA512

      dc39df162c767834c7e1175e38e2fbd31f640e83077a8b2b395dd41b71ec7f534284864f83f687ac5b46385b0fe47492e8c2a1026c5c6c7820814b7f03ab1efc

    • SSDEEP

      24576:eMwM9cEYUGd3K3fTIyd11F6Ph717SM5vw+WDC5InZ/L9GrsXpJzXo1AH9HBevK9C:eMwVK3fz12PhNSM9w+wCyig5JzXo1Ate

    Score
    10/10
    discoveryexecutionvipkeyloggercollectionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      7KB

    • MD5

      4c77a65bb121bb7f2910c1fa3cb38337

    • SHA1

      94531e3c6255125c1a85653174737d275bc35838

    • SHA256

      5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

    • SHA512

      df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

    • SSDEEP

      96:JXmkmwmHDqaRrlfAF4IUIqhmKv6vBckXK9wSBl8gvElHturnNQaSGYuHr2DCP:JAjRrlfA6Nv6eWIElNurnNQZGdHc

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      Feedbag/Reenjoying.Pos

    • Size

      55KB

    • MD5

      b1900f725fdad25bd4aeb9a6f2f2c924

    • SHA1

      d51648a46eb9d76709835b81f80a66502cb13a91

    • SHA256

      8ba966646c30bfdacb67109ea74cbde3c3055c9595034146eb0bb4cd3c43d699

    • SHA512

      381af4760ce6144e05f5a95e913bdc04a043215025f0be47fbba466cf2f501fca1be4f46b224bb95fee9a89aebe61093573d6e934ab62d62703af116262264f3

    • SSDEEP

      1536:1h35jGkFoulw3aGgzsKcl91TJR/FK72ho:1NNbuulw3aGHKcH1/l6

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks