Overview

overview

10

Static

static

3

af19b4b470...42.exe

windows7-x64

7

af19b4b470...42.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Fetalisation.ps1

windows7-x64

3

Fetalisation.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    af19b4b47092af571740a087ad59f9106bd537bdf439fabaf8148d1a8d8c0c42.exe

  • Size

    501KB

  • Sample

    250225-dcsq7aypy3

  • MD5

    ed390ba9dad731f45917d47a22fd8db7

  • SHA1

    6e62363870711c4c6c6f23949af165504948293f

  • SHA256

    af19b4b47092af571740a087ad59f9106bd537bdf439fabaf8148d1a8d8c0c42

  • SHA512

    b3ce3d1ec15589c528c93008bd45906821b7ba28539ba3d80a7ddcfcc86b0ede92cb3e70dd398f2caabd28279a9e910b52aea6adb4562ead13bb8e50d4ec5eb8

  • SSDEEP

    12288:VQeEJFJYJbJPeJyxJxWJiJfJcJWJSJaJ2J/JSJFJ8JjJcJHJQJoXJSJAhwjJTJZy:dEJFJYJbJPeJyxJxWJiJfJcJWJSJaJ2K

Score
10/10
vipkeyloggerdiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      af19b4b47092af571740a087ad59f9106bd537bdf439fabaf8148d1a8d8c0c42.exe

    • Size

      501KB

    • MD5

      ed390ba9dad731f45917d47a22fd8db7

    • SHA1

      6e62363870711c4c6c6f23949af165504948293f

    • SHA256

      af19b4b47092af571740a087ad59f9106bd537bdf439fabaf8148d1a8d8c0c42

    • SHA512

      b3ce3d1ec15589c528c93008bd45906821b7ba28539ba3d80a7ddcfcc86b0ede92cb3e70dd398f2caabd28279a9e910b52aea6adb4562ead13bb8e50d4ec5eb8

    • SSDEEP

      12288:VQeEJFJYJbJPeJyxJxWJiJfJcJWJSJaJ2J/JSJFJ8JjJcJHJQJoXJSJAhwjJTJZy:dEJFJYJbJPeJyxJxWJiJfJcJWJSJaJ2K

    Score
    10/10
    discoveryexecutionvipkeyloggerkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Loads dropped DLL

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      51e63a9c5d6d230ef1c421b2eccd45dc

    • SHA1

      c499cdad5c613d71ed3f7e93360f1bbc5748c45d

    • SHA256

      cd8496a3802378391ec425dec424a14f5d30e242f192ec4eb022d767f9a2480f

    • SHA512

      c23d713c3c834b3397c2a199490aed28f28d21f5781205c24df5e1e32365985c8a55be58f06979df09222740ffa51f4da764ebc3d912cd0c9d56ab6a33cab522

    • SSDEEP

      96:W7GUaYNwCLuGFctpiKFlYJ8hH4RVHpwdEeY3kRlDr6dMqqyVgN738:Iygp3FcHi0xhYMR8dMqJVgN

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      Fetalisation.Skm

    • Size

      53KB

    • MD5

      871a6d5157172d55968ef12e17801876

    • SHA1

      ab84cf4eb5b06098f6349c6da15d2bfb02ab2c73

    • SHA256

      37670c06c97e741fd4842a26ce3c9fdc1d715e848b1dc57376c5d7a4851c52bc

    • SHA512

      4c4a176fe4364ab03bfb35595ef2bfe3eeaaff93044662770fb51740a7be6d162a5db2b48af2d0ff8b75f0a3564871be32d27cd96a667d4dd4a0a7ab47b1eaef

    • SSDEEP

      1536:B7BJgPbaPXMHShxDO4mxTc+6munRziIgKko:B7BJUbiMHSh5NmCNmunAIgE

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks