vipkeylogger

General

Target

87cf7164b78119e27b02fddc73bd339e81eb71c3d0a5c81722c065ff64bbcc11
Size

786KB
Sample

250227-b89cpszybt
MD5

7d86b00fcf326a69ff63a4112c70b00e
SHA1

a176064c342fa83e99614f98dfb70bb82c5b60e4
SHA256

87cf7164b78119e27b02fddc73bd339e81eb71c3d0a5c81722c065ff64bbcc11
SHA512

25c3be5fed2446f9d549a68a21ddbcdd43b9d5741574c8afe26d357693669b0e828da20610b84861b5b878ff5d9fb3d360671ddc6b1b8a181a8db9eb92b4e0bc
SSDEEP

24576:Taog+Lb1hElIM9LXIxZB4hC6ZzANJ9lBj94YyOq:TZgwSlIcz4aCAzu948q

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7564802476:AAFNFXEtg3BsKAA3SsfbX1loYJO05v_Jivo/sendMessage?chat_id=7904458796

Targets

- Target
  
  87cf7164b78119e27b02fddc73bd339e81eb71c3d0a5c81722c065ff64bbcc11
- Size
  
  786KB
- MD5
  
  7d86b00fcf326a69ff63a4112c70b00e
- SHA1
  
  a176064c342fa83e99614f98dfb70bb82c5b60e4
- SHA256
  
  87cf7164b78119e27b02fddc73bd339e81eb71c3d0a5c81722c065ff64bbcc11
- SHA512
  
  25c3be5fed2446f9d549a68a21ddbcdd43b9d5741574c8afe26d357693669b0e828da20610b84861b5b878ff5d9fb3d360671ddc6b1b8a181a8db9eb92b4e0bc
- SSDEEP
  
  24576:Taog+Lb1hElIM9LXIxZB4hC6ZzANJ9lBj94YyOq:TZgwSlIcz4aCAzu948q
Score

10^/10

discovery execution vipkeylogger collection keylogger stealer
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Accesses Microsoft Outlook profiles
  collection
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $WINDIR/porterhouse/Wrynesses.Alg
- Size
  
  53KB
- MD5
  
  f5b2b137807856875a8775b2ca0a78d9
- SHA1
  
  b0df4707f99a9f8d6424838fec2ab61cb777e421
- SHA256
  
  be590cff8cc5b344be42be1818daddaf6eb346ee427e7f6ce07ba3abd8238959
- SHA512
  
  34f9aae5557211f37342bf60b85b30031be09e5f03a58fc446730944bc801ebf7cc3763f6f601b92357459b82eb9252a6d37899a34456b6fcc42c4ecfb9d243e
- SSDEEP
  
  1536:BZrYncLjaS7oOAyQwZ1oaA0TeLCWKTWX90dgMXwS:JLmS7hQGBr0cgE
Score

8^/10

execution persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4