General

  • Target

    comprobante de pago_0199210023bbva_pdf.exe

  • Size

    1.1MB

  • Sample

    250630-tpphastjw3

  • MD5

    d20da57cffb5bf3434a153f4506b5275

  • SHA1

    61585ace0bc963731bd152203552783c7cc9a473

  • SHA256

    a1f0b37870fac33401d6e0d55d405fcb1b36bd36d999be484bdf7126ba1355a4

  • SHA512

    96231ed0a9df58b7e402623f509e9fbed3c6b7a32168510f154c429348bbc75977126c1d9ddb94f5b51eb9b0955e5bf2558b1144c82dffd0eb1e84e56e6002a5

  • SSDEEP

    24576:Ktsj746lTuzapA3cpivF22qDjpF4j79s1d:KtwzZ5pROF22Ijpqu1d

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot8182481926:AAG_nrRe0FrgZEKtijLwHafQs1b38EJchiE/sendMessage?chat_id=6851905998

Targets

    • Target

      comprobante de pago_0199210023bbva_pdf.exe

    • Size

      1.1MB

    • MD5

      d20da57cffb5bf3434a153f4506b5275

    • SHA1

      61585ace0bc963731bd152203552783c7cc9a473

    • SHA256

      a1f0b37870fac33401d6e0d55d405fcb1b36bd36d999be484bdf7126ba1355a4

    • SHA512

      96231ed0a9df58b7e402623f509e9fbed3c6b7a32168510f154c429348bbc75977126c1d9ddb94f5b51eb9b0955e5bf2558b1144c82dffd0eb1e84e56e6002a5

    • SSDEEP

      24576:Ktsj746lTuzapA3cpivF22qDjpF4j79s1d:KtwzZ5pROF22Ijpqu1d

    • Guloader family

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      $PLUGINSDIR/BgImage.dll

    • Size

      7KB

    • MD5

      2d5f40ddc34e9dc8f43b5bf1f61301e3

    • SHA1

      5ed3cd47affc4d55750e738581fce2b40158c825

    • SHA256

      785944e57e8e4971f46f84a07d82dee2ab4e14a68543d83bfe7be7d5cda83143

    • SHA512

      605cebcc480cb71ba8241782d89e030a5c01e1359accbde174cb6bdaf249167347ecb06e3781cb9b1cc4b465cef95f1663f0d9766ed84ebade87aa3970765b3e

    • SSDEEP

      96:8eQMA6z4f7TI20Y1wircawlkX1b3+LDfbAJ8uLzqkLnLiEQjJ3KxkP:tChfHv08wocw3+e8uLmyLpmP

    Score
    3/10
    • Target

      Infarcted.epi

    • Size

      52KB

    • MD5

      52d13faa9b51fafd8a397453aebfe8c9

    • SHA1

      9ae2104aedec4a5fcd0419f5bc857936c8302931

    • SHA256

      44cc5a7277545a7f5c2b3b53547215304d86e032f00432ccd175a0f1fdd20b7d

    • SHA512

      c159eb6fd641268825fdfc8637eee3f30037c2952bd78eed80b212e778011ae3da781112370966dd94a477d4001fb8bf3c280b8baabd6ff13fd249b33a311ec6

    • SSDEEP

      1536:ZApKCnVH/nTsPLu9HevuB/Hkm6jRK1B1qiu/h:Z4LJbsPnvi/HktaB1y/h

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v16

Tasks