vipkeylogger

General

Target

22022025_0204_21022025_DocumentosCobro.rar
Size

1.3MB
Sample

250222-cg91lavpg1
MD5

e454ac6d198d2c9cb69092296a1c05ee
SHA1

162802580da97f80d36ae36f6ee4b2242bb1132a
SHA256

6feec21ecb49d0574b7a7428b848cd84e130bd706935447ea1496b9c73de35b7
SHA512

e8f3f7e8a3d2c171b90e30d0dc86225d08736f17b40b1a31cfd5a368628e4012cd68173d9f4cbd8948afcbf9289bb380baab29105a492c0b68db6c626530611b
SSDEEP

24576:RxQlLZb3sAQKTeFgb9T9agtDoHCzPrzBuf7JnnAEBGLFQkjgyt6SyRIu5Mn/D+GL:R2WcTeSb9TvVoizDgf2EBGL6S8b75W/Z

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
smtp.ionos.es
Port:
587
Username:
[email protected]
Password:
iO1pM8x?A0qD7wQ6n
Email To:
[email protected]

Targets

- Target
  
  DocumentosCobro.exe
- Size
  
  1.5MB
- MD5
  
  dc92b042f121e9dd84055f1725b74c16
- SHA1
  
  318c4f1331a5c86cce10c99db4ec9a678a6c426c
- SHA256
  
  5dbcaf23b022803375e7eb4fda2ca744a3fe93abe53f4cf0ec619cbbcf69bace
- SHA512
  
  56e129d7d077ada55690503466f1933171dd59a3fdc5d5863637899bd46a33c305aa8b5179c2a43dfbb3c979134e6b19131a5f06c91e80cb6b0fcbece0b9ee8b
- SSDEEP
  
  24576:TMwM9cEYtDP0cpMk2guOWzTC6Ph717SM5vw+WDC5InZ/L9GrsXpJzXo1AH9HBev2:TMwfPPpgzxPhNSM9w+wCyig5JzXo1AtJ
Score

10^/10

discovery execution vipkeylogger collection keylogger stealer
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  7KB
- MD5
  
  4c77a65bb121bb7f2910c1fa3cb38337
- SHA1
  
  94531e3c6255125c1a85653174737d275bc35838
- SHA256
  
  5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe
- SHA512
  
  df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04
- SSDEEP
  
  96:JXmkmwmHDqaRrlfAF4IUIqhmKv6vBckXK9wSBl8gvElHturnNQaSGYuHr2DCP:JAjRrlfA6Nv6eWIElNurnNQZGdHc
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  Halvdrene/Outseam73.Mix
- Size
  
  52KB
- MD5
  
  0e82c4714946d559e40591c5305e910f
- SHA1
  
  81db683ad8c11014aeeadad52023ddb97fc85f43
- SHA256
  
  a99059f55b906f22fbf1a2cb86200c741b2d30dd26b43625d740f7a696b01324
- SHA512
  
  78c123f06ccb82de3489c350436633ce32e5f2912d1d36c6f783ee33f2de85ab913d159a74c2566c79aa3c7d3c03de292f2b68dff98b974945b019429ba29831
- SSDEEP
  
  1536:EsH+7aRJ3Lp+aXRgbSi3mXMv+y0aNxK1L8:E77az1+aZ3xa2S
Score

8^/10

execution persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral5 behavioral6