General
-
Target
Pedido de Cotação-250325.exe
-
Size
696KB
-
Sample
250325-s95jksytax
-
MD5
57d441d23e79a76c2511fb3e5dbefaa1
-
SHA1
d830fb5adf84250140d478fe0a7ae0ce9a36d2b2
-
SHA256
ad4941d74df74cc868e14e6e610f79f88945697697de40a9b2f65d2764efc472
-
SHA512
48c3649fe095a0022bea0b35f5a0de1cbd6458fec1070e6fa1b655d704692e1c7ee25a6380194e2fbe991e1b0a38bafadf826d6eb4a98f64108aff37e1db7c3b
-
SSDEEP
12288:Pk+LIW771Zv4WivvZh+JRgTq1Wtrt6PLl2gbXW4EgizmecljPuLmaeqGMeys1ck:fLjbv4Wivv/qOT5oDl2m4gKv0PmUmack
Static task
static1
Behavioral task
behavioral1
Sample
Pedido de Cotação-250325.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Pedido de Cotação-250325.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
Kommunalforvaltningens.ps1
Resource
win7-20250207-en
Behavioral task
behavioral4
Sample
Kommunalforvaltningens.ps1
Resource
win10v2004-20250314-en
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.frirui.pt - Port:
587 - Username:
[email protected] - Password:
Friruimail2020 - Email To:
[email protected]
Targets
-
-
Target
Pedido de Cotação-250325.exe
-
Size
696KB
-
MD5
57d441d23e79a76c2511fb3e5dbefaa1
-
SHA1
d830fb5adf84250140d478fe0a7ae0ce9a36d2b2
-
SHA256
ad4941d74df74cc868e14e6e610f79f88945697697de40a9b2f65d2764efc472
-
SHA512
48c3649fe095a0022bea0b35f5a0de1cbd6458fec1070e6fa1b655d704692e1c7ee25a6380194e2fbe991e1b0a38bafadf826d6eb4a98f64108aff37e1db7c3b
-
SSDEEP
12288:Pk+LIW771Zv4WivvZh+JRgTq1Wtrt6PLl2gbXW4EgizmecljPuLmaeqGMeys1ck:fLjbv4Wivv/qOT5oDl2m4gKv0PmUmack
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Accesses Microsoft Outlook profiles
-
Blocklisted process makes network request
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Kommunalforvaltningens.Ant
-
Size
52KB
-
MD5
9b2206fe5822117ac8ae5e247b2479a0
-
SHA1
d7ac05c9c67273fa850aed88f51380a18f0afd80
-
SHA256
d035bd260c15a3cb57004a2bdcce676dbcf099b9b71fc03bc85db054b1ecedae
-
SHA512
01ab18106ee90161334849a2ba5fb1a9473c6c20246258135c31dcb57ee2b12c53c3f47f2ff47f6da0e15af7f8aa4b66b9fd2aacc0d021e9d9f6c32ae4959326
-
SSDEEP
1536:KYe75qoyj7KJ9i0AAMx8fuugvDBFf6lwBhkVQuQ6qUFro:KYkqoO71JaoIWkvvqN
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-