General
-
Target
72e7a39bce46e45402cbb4ae13053d57e87a62b06b53164acbe8c18ccf7dc696.exe
-
Size
1.1MB
-
Sample
240820-thygma1cqg
-
MD5
627534bca81ea8cbc73a9ed94df2cf28
-
SHA1
e0364dccc2030ec72321d648f85713b3b218676f
-
SHA256
72e7a39bce46e45402cbb4ae13053d57e87a62b06b53164acbe8c18ccf7dc696
-
SHA512
be76f7dc764bd450fb668a2a1ff66861a72fa653d414091485e085428cb8073fcab202c2f68999fed2909212554572cdbb26b8f5156be2bac2f428508cd3f15c
-
SSDEEP
12288:u1oAMd6OdKEari+ECZp1hUdQ5dM+OIbuH+Tbdf2GX9PzSnS3FY3Tiiy11gR2w:u186h1OajUSOjevco9P2nuFOOD11g
Static task
static1
Behavioral task
behavioral1
Sample
72e7a39bce46e45402cbb4ae13053d57e87a62b06b53164acbe8c18ccf7dc696.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
72e7a39bce46e45402cbb4ae13053d57e87a62b06b53164acbe8c18ccf7dc696.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7536751044:AAF0FBne988zRhUPGZlDQ1lQ4bW76DiDkXU/sendMessage?chat_id=5600682828
Targets
-
-
Target
72e7a39bce46e45402cbb4ae13053d57e87a62b06b53164acbe8c18ccf7dc696.exe
-
Size
1.1MB
-
MD5
627534bca81ea8cbc73a9ed94df2cf28
-
SHA1
e0364dccc2030ec72321d648f85713b3b218676f
-
SHA256
72e7a39bce46e45402cbb4ae13053d57e87a62b06b53164acbe8c18ccf7dc696
-
SHA512
be76f7dc764bd450fb668a2a1ff66861a72fa653d414091485e085428cb8073fcab202c2f68999fed2909212554572cdbb26b8f5156be2bac2f428508cd3f15c
-
SSDEEP
12288:u1oAMd6OdKEari+ECZp1hUdQ5dM+OIbuH+Tbdf2GX9PzSnS3FY3Tiiy11gR2w:u186h1OajUSOjevco9P2nuFOOD11g
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-