vipkeylogger

General

Target

3fa876bf68d2874aa0df8fb1d0639337b9ef9b6f3123c9b37aa91d88b5efdabe.exe
Size

682KB
Sample

250325-ywkvxa1zcs
MD5

b6d16d7caaca6a3164c20d48a77c149a
SHA1

20008f1cb1d9f56b51651e69f8f340d39ad2bfdb
SHA256

3fa876bf68d2874aa0df8fb1d0639337b9ef9b6f3123c9b37aa91d88b5efdabe
SHA512

869b6dadfaf017cefb4801d1e9c904f479c711c9894e0424453a41e0cf26cd92cfca84072a81cae75adbda0d23bf8cebc859a099d69c84091a49134ec15657e2
SSDEEP

12288:63u1ja8ouzRfW1vErwvuiiqR6XCAgOmkGPmQC1QLTsMd/LY2F0:63u1jtouF+1XGq05PkU1IT1JU2F0

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.vsmne.com.sg
Port:
587
Username:
[email protected]
Password:
V2022!S2022!
Email To:
[email protected]

Targets

- Target
  
  3fa876bf68d2874aa0df8fb1d0639337b9ef9b6f3123c9b37aa91d88b5efdabe.exe
- Size
  
  682KB
- MD5
  
  b6d16d7caaca6a3164c20d48a77c149a
- SHA1
  
  20008f1cb1d9f56b51651e69f8f340d39ad2bfdb
- SHA256
  
  3fa876bf68d2874aa0df8fb1d0639337b9ef9b6f3123c9b37aa91d88b5efdabe
- SHA512
  
  869b6dadfaf017cefb4801d1e9c904f479c711c9894e0424453a41e0cf26cd92cfca84072a81cae75adbda0d23bf8cebc859a099d69c84091a49134ec15657e2
- SSDEEP
  
  12288:63u1ja8ouzRfW1vErwvuiiqR6XCAgOmkGPmQC1QLTsMd/LY2F0:63u1jtouF+1XGq05PkU1IT1JU2F0
Score

10^/10

discovery execution vipkeylogger collection keylogger stealer
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Accesses Microsoft Outlook profiles
  collection
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  ortografien.Van253
- Size
  
  54KB
- MD5
  
  47ce8571ec7f0f7f10a17ddced1d7570
- SHA1
  
  b7c5c4a8513bfb7267768edf001c4b99d022eade
- SHA256
  
  37965b21b871f3b097534bc9ed8d0690f1e70fa07a1db4cdd182a01f385ccf08
- SHA512
  
  3520d34694b44c2edfe6386819fd7dc9d517a393ac0535b10a85e54d545bbd90c1e5b329365c497b3ee8cfc9ae7ccc2f8c49437111940ca7c21250fbecb3ee1a
- SSDEEP
  
  1536:lQirHwQohFm3b68ejjsgxTttk+WF+rOG0mFkQiN:lQi2hUuJsKTXFcN
Score

8^/10

execution persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4