Overview

overview

10

Static

static

3

3297362893...ba.exe

windows7-x64

7

3297362893...ba.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Arbejdslag...er.ps1

windows7-x64

3

Arbejdslag...er.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3297362893dcf07dc882d828230179304619d53c9c4d24d948638063aef0c3ba.exe

  • Size

    601KB

  • Sample

    250227-c3h41asnv7

  • MD5

    37882e074a9e119b017f71e95afe2f07

  • SHA1

    16e298fd29d532d6f0f9742314b2a1995d5ca783

  • SHA256

    3297362893dcf07dc882d828230179304619d53c9c4d24d948638063aef0c3ba

  • SHA512

    3dc8f4e844bb72c493e09d195a6bddaaa9378ddf733796a413fe2f96cbd0077c70c27a85e8e9b85834263ca2a643d49aad8829c9cc9958507e416967a0e94b1a

  • SSDEEP

    12288:b9jJVXyIPaK7M0TXphBTmm215jv2oi7Kf/MQCQN2:b9jJV3aiM+XpnTmlvYKMQCl

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      3297362893dcf07dc882d828230179304619d53c9c4d24d948638063aef0c3ba.exe

    • Size

      601KB

    • MD5

      37882e074a9e119b017f71e95afe2f07

    • SHA1

      16e298fd29d532d6f0f9742314b2a1995d5ca783

    • SHA256

      3297362893dcf07dc882d828230179304619d53c9c4d24d948638063aef0c3ba

    • SHA512

      3dc8f4e844bb72c493e09d195a6bddaaa9378ddf733796a413fe2f96cbd0077c70c27a85e8e9b85834263ca2a643d49aad8829c9cc9958507e416967a0e94b1a

    • SSDEEP

      12288:b9jJVXyIPaK7M0TXphBTmm215jv2oi7Kf/MQCQN2:b9jJV3aiM+XpnTmlvYKMQCl

    Score
    10/10
    discoveryexecutionvipkeyloggercollectionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      ae164b9dd3591a987b0d71dc255c4654

    • SHA1

      41198cb28a31a0ffc3d14540e61a4840800681cc

    • SHA256

      7fafaf28fa6eb7604c61ef816cdd3e5097a0e17695bef0bf9116b6558aa68967

    • SHA512

      57fad70b175fa4f1a525fe413c8bcd87cd66b97053056c91ca912e6796ad19cc613437f49c52adf5ca20c2c54f4c0ef2a41df50cfabe0645de7e6016b5cd05f6

    • SSDEEP

      96:kD7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNe43e:kPXhHR0aTQN4gRHdMqJVgNef

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      Arbejdslager/Medlemsideer.Suc

    • Size

      51KB

    • MD5

      3241d79410c0f726b435a89969fc2692

    • SHA1

      2d98961d11e5eff2ff943294ca888c9c09b2d4bd

    • SHA256

      a9885b7e81845b82c03d48fd27455ee43b5f7edfaa467db2578f488c3290fdd3

    • SHA512

      2dbf00168125a9947749e6b03059bfe12ee20c5a7b1baa7828a09acdd40b9d85c7adc39f57eae4fb6b442c83fc2febd067685de9b082d31e6445e4d948a405c1

    • SSDEEP

      768:1V2Zn8dytEVuuO4+EmQvHp6DLFNKEr25vMGjo2cJ6eCkTS0qXW6XZU2f2J1bu:14Z8dsEVOZmEDTKLJMoiAx034U2fqK

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks