Overview

overview

10

Static

static

3

3456754365_PDF.exe

windows7-x64

10

3456754365_PDF.exe

windows10-2004-x64

10

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3456754365_PDF.exe

  • Size

    743KB

  • Sample

    250227-me59qstyds

  • MD5

    32e141183a50053d9c465ae8394ac718

  • SHA1

    e9264e0fa77433ce8f1209372a5cbff50d4e3113

  • SHA256

    5ac5d66f604f656b5b7de2506f6e8ad911b81a3bccd1317f315e3cc3ad68851c

  • SHA512

    b83ea417187ec70d13465ea0f36f436e6c51fb6abc79032b42332aa5507541d21eb63dc85b6c53c897287a855b46dfef3e81293ef1876af7b23a28c17a3ee1e2

  • SSDEEP

    12288:Sgn0B2gAPgy1IpO/Cfp3krcah1Ybwb2ub1ayFB+E/1F0bN0FhU0XLJk+Xe/XK41O:oB1STIpO/+p3kIah1YMphayFB+O0bN0h

Score
10/10
guloadervipkeyloggercollectiondiscoverydownloaderkeyloggerspywarestealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7925601648:AAFJQr-qYufJQhg5VRCefCc8bUKVvQ_OCT4/sendMessage?chat_id=1940565380

Targets

    • Target

      3456754365_PDF.exe

    • Size

      743KB

    • MD5

      32e141183a50053d9c465ae8394ac718

    • SHA1

      e9264e0fa77433ce8f1209372a5cbff50d4e3113

    • SHA256

      5ac5d66f604f656b5b7de2506f6e8ad911b81a3bccd1317f315e3cc3ad68851c

    • SHA512

      b83ea417187ec70d13465ea0f36f436e6c51fb6abc79032b42332aa5507541d21eb63dc85b6c53c897287a855b46dfef3e81293ef1876af7b23a28c17a3ee1e2

    • SSDEEP

      12288:Sgn0B2gAPgy1IpO/Cfp3krcah1Ybwb2ub1ayFB+E/1F0bN0FhU0XLJk+Xe/XK41O:oB1STIpO/+p3kIah1YMphayFB+O0bN0h

    Score
    10/10
    guloadervipkeyloggerdiscoverydownloaderkeyloggerstealercollectionspyware

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/LangDLL.dll

    • Size

      5KB

    • MD5

      174708997758321cf926b69318c6c3f5

    • SHA1

      645488089bf320f6864e0d0bc284c85216e56fbd

    • SHA256

      f577b66492e97c7b8bf515398d8deb745abafd74f56fc03e67fce248ebbeb873

    • SHA512

      214433597e04ca1ff9b4fe092d5d2997707a7c56f0f82c85d586088a200e4455028f3b9427d87b4f06f9252557d5be4b7a9138ea6a8d045df6209421fd8ca054

    • SSDEEP

      48:S46+/ZTKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mCofjLl:zDuPbOBtWZBV8jAWiAJCdv2CmpL

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      0ff2d70cfdc8095ea99ca2dabbec3cd7

    • SHA1

      10c51496d37cecd0e8a503a5a9bb2329d9b38116

    • SHA256

      982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b

    • SHA512

      cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

    • SSDEEP

      192:eK24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35OlASl:u8QIl975eXqlWBrz7YLOlA

    Score
    3/10
    discovery
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks