Overview

overview

10

Static

static

1

Pedido de ...25.exe

windows7-x64

4

Pedido de ...25.exe

windows10-2004-x64

10

Kommunalfo...ns.ps1

windows7-x64

3

Kommunalfo...ns.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Pedido de Cotação-250325.exe

  • Size

    696KB

  • Sample

    250325-s95jksytax

  • MD5

    57d441d23e79a76c2511fb3e5dbefaa1

  • SHA1

    d830fb5adf84250140d478fe0a7ae0ce9a36d2b2

  • SHA256

    ad4941d74df74cc868e14e6e610f79f88945697697de40a9b2f65d2764efc472

  • SHA512

    48c3649fe095a0022bea0b35f5a0de1cbd6458fec1070e6fa1b655d704692e1c7ee25a6380194e2fbe991e1b0a38bafadf826d6eb4a98f64108aff37e1db7c3b

  • SSDEEP

    12288:Pk+LIW771Zv4WivvZh+JRgTq1Wtrt6PLl2gbXW4EgizmecljPuLmaeqGMeys1ck:fLjbv4Wivv/qOT5oDl2m4gKv0PmUmack

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      Pedido de Cotação-250325.exe

    • Size

      696KB

    • MD5

      57d441d23e79a76c2511fb3e5dbefaa1

    • SHA1

      d830fb5adf84250140d478fe0a7ae0ce9a36d2b2

    • SHA256

      ad4941d74df74cc868e14e6e610f79f88945697697de40a9b2f65d2764efc472

    • SHA512

      48c3649fe095a0022bea0b35f5a0de1cbd6458fec1070e6fa1b655d704692e1c7ee25a6380194e2fbe991e1b0a38bafadf826d6eb4a98f64108aff37e1db7c3b

    • SSDEEP

      12288:Pk+LIW771Zv4WivvZh+JRgTq1Wtrt6PLl2gbXW4EgizmecljPuLmaeqGMeys1ck:fLjbv4Wivv/qOT5oDl2m4gKv0PmUmack

    Score
    10/10
    discoveryexecutionvipkeyloggercollectionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Kommunalforvaltningens.Ant

    • Size

      52KB

    • MD5

      9b2206fe5822117ac8ae5e247b2479a0

    • SHA1

      d7ac05c9c67273fa850aed88f51380a18f0afd80

    • SHA256

      d035bd260c15a3cb57004a2bdcce676dbcf099b9b71fc03bc85db054b1ecedae

    • SHA512

      01ab18106ee90161334849a2ba5fb1a9473c6c20246258135c31dcb57ee2b12c53c3f47f2ff47f6da0e15af7f8aa4b66b9fd2aacc0d021e9d9f6c32ae4959326

    • SSDEEP

      1536:KYe75qoyj7KJ9i0AAMx8fuugvDBFf6lwBhkVQuQ6qUFro:KYkqoO71JaoIWkvvqN

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks