General
-
Target
payment.rar
-
Size
417KB
-
Sample
250224-wpcvlswrs8
-
MD5
c0aba3e9e8641c901b98799bbbf3adff
-
SHA1
785a722cad8c1711a843d312467c9bbcaf44df7e
-
SHA256
934801a22972a860d0f209cb42a91b6f4dc6ae8ea60b1f6a5ae959b0c5dd4a94
-
SHA512
fcbcfd4758e03b1ba3a8c91fd428d608ea8bd99d448d2e362ac0a86bdc91f117d26658f3cd8b4fb208cde75abca552dfc0cd9fd0b8e1e418892dac71dd40802e
-
SSDEEP
12288:kZlnNx5CubImnelo81PRDaPSATAvU3z0fDjirgN:Wc+Ij1PhaPSnvUjMp
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
s46S2&4+ - Email To:
[email protected]
Targets
-
-
Target
payment.rar
-
Size
417KB
-
MD5
c0aba3e9e8641c901b98799bbbf3adff
-
SHA1
785a722cad8c1711a843d312467c9bbcaf44df7e
-
SHA256
934801a22972a860d0f209cb42a91b6f4dc6ae8ea60b1f6a5ae959b0c5dd4a94
-
SHA512
fcbcfd4758e03b1ba3a8c91fd428d608ea8bd99d448d2e362ac0a86bdc91f117d26658f3cd8b4fb208cde75abca552dfc0cd9fd0b8e1e418892dac71dd40802e
-
SSDEEP
12288:kZlnNx5CubImnelo81PRDaPSATAvU3z0fDjirgN:Wc+Ij1PhaPSnvUjMp
Score10/10-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Blocklisted process makes network request
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Invoice Pending Payment.exe
-
Size
495KB
-
MD5
e70e71a31781b44f850a39693784ce74
-
SHA1
ce8cf2dc1b30d5d6870cc3d374c15e1005fdc879
-
SHA256
a02b56b4c74424b72ae21d4737e822653e68b9762e1aeb313d81bd45abce39e7
-
SHA512
2a7994cec6638f7ff523358e7df0bfddad0f2abaef89e598455e9f0b7a44009e139ac9f9afd7ac38377ed302727c5c75322327b8fabf0b450835cdbb5c52a9a8
-
SSDEEP
12288:yQeEJFJYJbJPeJyxJxWJiJfJcJWJSJaJ2J/JSJFJ8JjJcJHJQJoXJSJAhwjJTJZx:cEJFJYJbJPeJyxJxWJiJfJcJWJSJaJ2p
Score10/10-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Blocklisted process makes network request
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
$PLUGINSDIR/nsExec.dll
-
Size
6KB
-
MD5
51e63a9c5d6d230ef1c421b2eccd45dc
-
SHA1
c499cdad5c613d71ed3f7e93360f1bbc5748c45d
-
SHA256
cd8496a3802378391ec425dec424a14f5d30e242f192ec4eb022d767f9a2480f
-
SHA512
c23d713c3c834b3397c2a199490aed28f28d21f5781205c24df5e1e32365985c8a55be58f06979df09222740ffa51f4da764ebc3d912cd0c9d56ab6a33cab522
-
SSDEEP
96:W7GUaYNwCLuGFctpiKFlYJ8hH4RVHpwdEeY3kRlDr6dMqqyVgN738:Iygp3FcHi0xhYMR8dMqJVgN
Score3/10 -
-
-
Target
Defmrkede/Crossbeam.Dec122
-
Size
58KB
-
MD5
798e71f2fb7aeccbf532d4b9c7484b56
-
SHA1
d22784524ac6412395f51a3fd3fe0cfba04f034c
-
SHA256
1669d04c0289873aa79409ac3522a90ce116740f52c11eb8833aaf5c8908acb8
-
SHA512
29f868a51ac1b4c25a4a7d1fad093e6fccc3adc762f8fa791c8e728aaf16a26ce0e43cdf45f955d0152d94ccff514776426bfb9a088cebf77ef9521a642606bf
-
SSDEEP
1536:IuWZnBGyJTf6U1uxBx174Nsp/0PjUt5hYlH:ULvTf/1uHNcj6XYt
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-