Overview

overview

10

Static

static

3

MODELO 347.exe

windows7-x64

8

MODELO 347.exe

windows10-2004-x64

10

Boligretss...gs.ps1

windows7-x64

3

Boligretss...gs.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    MODELO 347.exe

  • Size

    673KB

  • Sample

    250226-nxx7hsymy6

  • MD5

    9116ff8e493e8c1f66e0a92b09ee14f0

  • SHA1

    05df6f6d94d985f4d9a961e9ea5c420c4be6c137

  • SHA256

    a3c8884b793b10cd71ce232f59bd456100616f517ba28c8802cf8f1a03eb2beb

  • SHA512

    6ad69ba8a034e49ad996ff09fd870da99c50c4c8c4cb31aaf459cc8379a0dd528f62377ede10b8e978687edcc58f12f30161c2518ee5b3f1989f5bf38be10115

  • SSDEEP

    12288:nknx3DkSMlujq7Goffb1onzLpjbFNy4GBHyxbYDI+QHgkb/n8xps:43D2u8GczcL3wqbf+Q7T8w

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      MODELO 347.exe

    • Size

      673KB

    • MD5

      9116ff8e493e8c1f66e0a92b09ee14f0

    • SHA1

      05df6f6d94d985f4d9a961e9ea5c420c4be6c137

    • SHA256

      a3c8884b793b10cd71ce232f59bd456100616f517ba28c8802cf8f1a03eb2beb

    • SHA512

      6ad69ba8a034e49ad996ff09fd870da99c50c4c8c4cb31aaf459cc8379a0dd528f62377ede10b8e978687edcc58f12f30161c2518ee5b3f1989f5bf38be10115

    • SSDEEP

      12288:nknx3DkSMlujq7Goffb1onzLpjbFNy4GBHyxbYDI+QHgkb/n8xps:43D2u8GczcL3wqbf+Q7T8w

    Score
    10/10
    discoveryexecutionvipkeyloggercollectionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Boligretssager/Skrinlgnings.Pri

    • Size

      53KB

    • MD5

      70e48952c940b791cc5d57c815cc66f2

    • SHA1

      894f79ce1794d012252fde755e8743f5acc0e5c0

    • SHA256

      1e9d85bae3e43aca86d6b4b4b16b0ebca713fd0dcbf6917b6915bbf644543949

    • SHA512

      82c97bea8b231e6dfc8af045801641d95ee50e357c61962faaffb053f2971f10586927180db0fa7c62e09a325499a59aa791e4d20d5ceb963381a8f415991c72

    • SSDEEP

      768:gtr3Difaie+aJiSZB1ccJTgyt6HI3hSEnsbx/S9lzN2/ylTbNXf:4D29ehzZYcJTrAIRlnM54lh2/Mpv

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks