Overview

overview

10

Static

static

1

justifican...09.exe

windows10-2004-x64

10

Lsebgers.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    justificantedetransferencia-7889893409.exe

  • Size

    1020KB

  • Sample

    250414-td3wjszr18

  • MD5

    4060ccad239038c4a6485563f6a28287

  • SHA1

    3a4d8088e1db32320dfaab3e0d11f053772973a0

  • SHA256

    60814232e8b491aa42c4d37ec185c738319beb104f65ee579f017a4750c04eea

  • SHA512

    30ef737394caa7ee10c3226d0f908c9054480845a45199103f7afe0abb6efc31877cc56b4e783d86393832a6051c135bff0f195b6c8bf3ea68e10e7f49c6c4ef

  • SSDEEP

    24576:ghXzjD/sw7fNgh3VANkbtfu/MK+sqVj50LLoborPpIgaQQhN+A:gpzjD/swfNgn6V+h70A0CZL

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7503700665:AAGL8MMCdDcG7tz-eC9bATTNxcDJaBzKQqA/sendMessage?chat_id=7618581100

Targets

    • Target

      justificantedetransferencia-7889893409.exe

    • Size

      1020KB

    • MD5

      4060ccad239038c4a6485563f6a28287

    • SHA1

      3a4d8088e1db32320dfaab3e0d11f053772973a0

    • SHA256

      60814232e8b491aa42c4d37ec185c738319beb104f65ee579f017a4750c04eea

    • SHA512

      30ef737394caa7ee10c3226d0f908c9054480845a45199103f7afe0abb6efc31877cc56b4e783d86393832a6051c135bff0f195b6c8bf3ea68e10e7f49c6c4ef

    • SSDEEP

      24576:ghXzjD/sw7fNgh3VANkbtfu/MK+sqVj50LLoborPpIgaQQhN+A:gpzjD/swfNgn6V+h70A0CZL

    Score
    10/10
    vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

    • Target

      Lsebgers.Bre

    • Size

      54KB

    • MD5

      ca6b30d971f2b79383c80f5c12718e8f

    • SHA1

      3f49b9675ce0d5df8f426436624507e5276b5a5a

    • SHA256

      4ac783e447712a8001e6abdc47c4e1b2bbc4a990a0af8c0dc60468762cfd89e0

    • SHA512

      c20c75bc3b1a8a52061072bbc2e7e0dc60980e04d7a78e96fd2552a1a56f023ae84675dd3599245a539a2219c262310d73c4e43530b7a1b7e8b46ceb49aa2707

    • SSDEEP

      768:gcxPtxqjY9q6/XCN4l64sp9yjcyRfrybdKwKZ9sjthzPCklX8H77cw4zQzEjm:t19qJI1cyjnBPZCDPHYv40zEm

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral2

MITRE ATT&CK Enterprise v16

Tasks