Overview

overview

10

Static

static

3

8fb01222a0...60.exe

windows7-x64

8

8fb01222a0...60.exe

windows10-2004-x64

10

Tetragynian.ps1

windows7-x64

3

Tetragynian.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8fb01222a057c3fdbb0b84e05abf69c801c27acb2705ccceb53c80ea3dd0e960.exe

  • Size

    669KB

  • Sample

    250228-dr7tnaywey

  • MD5

    df5d0cd5726909ab03222423e324c499

  • SHA1

    6a71a4b56ee5b334eeb8767179cf475d70c5e9fc

  • SHA256

    8fb01222a057c3fdbb0b84e05abf69c801c27acb2705ccceb53c80ea3dd0e960

  • SHA512

    c3c4b178abb9b82adfc569caa66a35f7e45c821062d8e1d9ac1bb9e7fd7e32004e554c5c2e0365b030ead4eff75ae050c2adf5319d479e4a8e395587e05cbc8e

  • SSDEEP

    12288:nknx3DkSMl8QW0c3xMuVKKuuJZYWd4k+QHgkb/n8xpG:43D2f8VKqZYWd4k+Q7T8S

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials
C2

https://api.telegram.org/bot7688075474:AAFD0RRgEd3hJhNpHxFs4OWkLJUyvCWsJJg/sendMessage?chat_id=6851905998

Targets

    • Target

      8fb01222a057c3fdbb0b84e05abf69c801c27acb2705ccceb53c80ea3dd0e960.exe

    • Size

      669KB

    • MD5

      df5d0cd5726909ab03222423e324c499

    • SHA1

      6a71a4b56ee5b334eeb8767179cf475d70c5e9fc

    • SHA256

      8fb01222a057c3fdbb0b84e05abf69c801c27acb2705ccceb53c80ea3dd0e960

    • SHA512

      c3c4b178abb9b82adfc569caa66a35f7e45c821062d8e1d9ac1bb9e7fd7e32004e554c5c2e0365b030ead4eff75ae050c2adf5319d479e4a8e395587e05cbc8e

    • SSDEEP

      12288:nknx3DkSMl8QW0c3xMuVKKuuJZYWd4k+QHgkb/n8xpG:43D2f8VKqZYWd4k+Q7T8S

    Score
    10/10
    discoveryexecutionvipkeyloggercollectionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Tetragynian.Acr

    • Size

      52KB

    • MD5

      2b6f3bbd81d1494893fdfae65f14f57d

    • SHA1

      3963fa8a7615c4ed1aa6cf77619a8cfec862ad26

    • SHA256

      e42fe8d5aa6aab594e2fee44f18005b3137deea78fb22524da60b846619ce996

    • SHA512

      d9bfc6474d5cbad220ffc8411ed7526aa60423f726dafc453c85e115994729095dd4cbcfa125f3faeaef238a89bf3ba162684961030d6873956cc2fc841ec2ae

    • SSDEEP

      1536:EikIiU3xXA2FTC4CNLcz2QLVS+QU7tZli:EikI53xwERC0lS4tZli

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks