Overview

overview

10

Static

static

3

rConfirmac...go.exe

windows7-x64

7

rConfirmac...go.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    rConfirmaci__n-de-pago.exe

  • Size

    960KB

  • Sample

    250226-wlgpdsykz3

  • MD5

    8e9d033337f8e059eaefe649a4197be6

  • SHA1

    37efe644c5422c1a0e02be021d98e4be73271e78

  • SHA256

    fd0dc24eaa5dd665cd3f607db673628f63c248b1bf0e202cb2fe7ecf3d2c2570

  • SHA512

    805c0371323865dc4528c6b06b416150a0b1184b2f2e63eb4ad3beca28eca054b18995847bcebe0b0132d9f21e838020018f302ce5cc79f7fdd4f1062abd7f0c

  • SSDEEP

    24576:DfYzitFHRydnB0Bhc2aK9bplo0EOlyGmsYu8g7++072+W7W:rYy+BMhXlrEpG8u8gswW

Score
10/10
guloadervipkeyloggercollectiondiscoverydownloaderkeyloggerspywarestealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7040312407:AAFWVlSIzsmV7GmLpQj1tUsYJkbKZM5-bUU/sendMessage?chat_id=7763958191

Targets

    • Target

      rConfirmaci__n-de-pago.exe

    • Size

      960KB

    • MD5

      8e9d033337f8e059eaefe649a4197be6

    • SHA1

      37efe644c5422c1a0e02be021d98e4be73271e78

    • SHA256

      fd0dc24eaa5dd665cd3f607db673628f63c248b1bf0e202cb2fe7ecf3d2c2570

    • SHA512

      805c0371323865dc4528c6b06b416150a0b1184b2f2e63eb4ad3beca28eca054b18995847bcebe0b0132d9f21e838020018f302ce5cc79f7fdd4f1062abd7f0c

    • SSDEEP

      24576:DfYzitFHRydnB0Bhc2aK9bplo0EOlyGmsYu8g7++072+W7W:rYy+BMhXlrEpG8u8gswW

    Score
    10/10
    discoveryguloadervipkeyloggercollectiondownloaderkeyloggerspywarestealer

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      192639861e3dc2dc5c08bb8f8c7260d5

    • SHA1

      58d30e460609e22fa0098bc27d928b689ef9af78

    • SHA256

      23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

    • SHA512

      6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

    • SSDEEP

      192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks