Overview

overview

10

Static

static

3

f9d051b1d7...f6.exe

windows7-x64

7

f9d051b1d7...f6.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Kinestheses.ps1

windows7-x64

3

Kinestheses.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f9d051b1d729d3a1689e7b1454902012a5d757f5b5339db346ffcead746802f6.exe

  • Size

    1.5MB

  • Sample

    250221-e2pw9sspdv

  • MD5

    65249febec3f7bde1c51b92ff5d3c4a7

  • SHA1

    459c11b637dc859eacea6d65489729f7b32fbf27

  • SHA256

    f9d051b1d729d3a1689e7b1454902012a5d757f5b5339db346ffcead746802f6

  • SHA512

    e739a509aa7029116395a436f6b9c07e9e74bae0e81c312e0e0663c315be862a118b18d60c45b72268b47ad09a13ed0c9db54d4f97eba474c154d14d8cbe9a1c

  • SSDEEP

    24576:nMwM9cEY0ASIJSEwseD6Ph717SM5vw+WDC5InZ/L9GrsXpJzXo1AH9HBevK9Y9Ey:nMwLhcOPhNSM9w+wCyig5JzXo1AtBUK2

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7905739203:AAHVrbaqwZh7jsUdl3dYwh5_SurA4XOPFCU/sendMessage?chat_id=8187594209

Targets

    • Target

      f9d051b1d729d3a1689e7b1454902012a5d757f5b5339db346ffcead746802f6.exe

    • Size

      1.5MB

    • MD5

      65249febec3f7bde1c51b92ff5d3c4a7

    • SHA1

      459c11b637dc859eacea6d65489729f7b32fbf27

    • SHA256

      f9d051b1d729d3a1689e7b1454902012a5d757f5b5339db346ffcead746802f6

    • SHA512

      e739a509aa7029116395a436f6b9c07e9e74bae0e81c312e0e0663c315be862a118b18d60c45b72268b47ad09a13ed0c9db54d4f97eba474c154d14d8cbe9a1c

    • SSDEEP

      24576:nMwM9cEY0ASIJSEwseD6Ph717SM5vw+WDC5InZ/L9GrsXpJzXo1AH9HBevK9Y9Ey:nMwLhcOPhNSM9w+wCyig5JzXo1AtBUK2

    Score
    10/10
    discoveryexecutionvipkeyloggercollectionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      7KB

    • MD5

      4c77a65bb121bb7f2910c1fa3cb38337

    • SHA1

      94531e3c6255125c1a85653174737d275bc35838

    • SHA256

      5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

    • SHA512

      df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

    • SSDEEP

      96:JXmkmwmHDqaRrlfAF4IUIqhmKv6vBckXK9wSBl8gvElHturnNQaSGYuHr2DCP:JAjRrlfA6Nv6eWIElNurnNQZGdHc

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      Kinestheses.Tra

    • Size

      52KB

    • MD5

      4281bb34dbc6a97669b1815f61d33612

    • SHA1

      605f5b8e73077d2814da07642031ce974b08f2cd

    • SHA256

      4903967d23168ae80a460eb825ad870aa4dcdc57932a522999442f4612ef3c20

    • SHA512

      9062f880f1d9af15da31f40a648677d1bc8d581c19aebff91628dcb9dc1c00b461270cf0b37f29fa26522fc75d4cf3e4476fd95d26ee7162a8c9aa44b2c52184

    • SSDEEP

      1536:wj7u/ytfDkfTspAvZPzBXY/6N/wRysUR0P2e9x:wj7uatbW0A1YCN2UG2eb

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks