Overview

overview

10

Static

static

3

Frankpledge.exe

windows7-x64

7

Frankpledge.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Vikingers.ps1

windows7-x64

3

Vikingers.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f93334ec49cb451073fd08c48477d6e68f548e5b30395142b88b7c15a250a936

  • Size

    422KB

  • Sample

    250224-r7dseayjv6

  • MD5

    e726ed1fb5c6c751ceb4fa4b535fc963

  • SHA1

    5c2398633c7e9e6a822d92774f52539c159b0dfa

  • SHA256

    f93334ec49cb451073fd08c48477d6e68f548e5b30395142b88b7c15a250a936

  • SHA512

    0bbb161ae66251c36ac18c04e42fb66d5a6c6037c3319e7d1470c483537e47bbf99668534ea622b6c265b660ac8037f6ebb96da7881eea5486ca2e91df18f06e

  • SSDEEP

    6144:jQOd97ial5bSrnJSPxi0TKzhPQTLPpoZ8PzxnvU+sgHduq79lCiFCMZSoJ+WYwD5:jXJl5mH0TAQPPpg8tnVl1ZfVph

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.tecnoperfec.com.bo
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    !jSmDiCQmbT&

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      Frankpledge.exe

    • Size

      500KB

    • MD5

      75c519548e92e3367469a0ff25cdca40

    • SHA1

      da28d9041d26c1dca833c2765fd601bb8be4c878

    • SHA256

      e252330158f8453a40b143203611716c0173005328a0d27436cd9ffac91d63fd

    • SHA512

      e6c27a32bfa92a8ff1a5d44176d469efef5e2bddc2b7c390a682503d2035bb4a5d01b88dd1bcf3c19a4a07bba11eac94869cc08fc5afb0f7415e600bef8a3600

    • SSDEEP

      12288:VQeEJFJYJbJPeJyxJxWJiJfJcJWJSJaJ2J/JSJFJ8JjJcJHJQJoXJSJAhwjJTJZ6:dEJFJYJbJPeJyxJxWJiJfJcJWJSJaJ2c

    Score
    10/10
    discoveryexecutionvipkeyloggercollectionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      51e63a9c5d6d230ef1c421b2eccd45dc

    • SHA1

      c499cdad5c613d71ed3f7e93360f1bbc5748c45d

    • SHA256

      cd8496a3802378391ec425dec424a14f5d30e242f192ec4eb022d767f9a2480f

    • SHA512

      c23d713c3c834b3397c2a199490aed28f28d21f5781205c24df5e1e32365985c8a55be58f06979df09222740ffa51f4da764ebc3d912cd0c9d56ab6a33cab522

    • SSDEEP

      96:W7GUaYNwCLuGFctpiKFlYJ8hH4RVHpwdEeY3kRlDr6dMqqyVgN738:Iygp3FcHi0xhYMR8dMqJVgN

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      Vikingers.Sap

    • Size

      55KB

    • MD5

      8f7cae39d5fd60d3cc926d94e45b839f

    • SHA1

      87c3bad45e79f6d89a6840d5580eab24674af89e

    • SHA256

      6a3efb96bf5c84d6adae4fa699aa64f266d3f258cc03619cb03500e46a014caf

    • SHA512

      03fe02e6c3d0f2072112c6037c592ec6472ed6d8a6d1826e30c1fc94ff27497452d9c6baed47d1115a6bf50d82847d845a6ca9bc7ab4d5b9a71eba6977e47211

    • SSDEEP

      1536:kLubTbY0XWNAKh8bXfJZMncznLSxT0puR4wEC:DWAK0R+hDRr

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks