General

  • Target

    72e7a39bce46e45402cbb4ae13053d57e87a62b06b53164acbe8c18ccf7dc696.exe

  • Size

    1.1MB

  • Sample

    240820-thygma1cqg

  • MD5

    627534bca81ea8cbc73a9ed94df2cf28

  • SHA1

    e0364dccc2030ec72321d648f85713b3b218676f

  • SHA256

    72e7a39bce46e45402cbb4ae13053d57e87a62b06b53164acbe8c18ccf7dc696

  • SHA512

    be76f7dc764bd450fb668a2a1ff66861a72fa653d414091485e085428cb8073fcab202c2f68999fed2909212554572cdbb26b8f5156be2bac2f428508cd3f15c

  • SSDEEP

    12288:u1oAMd6OdKEari+ECZp1hUdQ5dM+OIbuH+Tbdf2GX9PzSnS3FY3Tiiy11gR2w:u186h1OajUSOjevco9P2nuFOOD11g

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7536751044:AAF0FBne988zRhUPGZlDQ1lQ4bW76DiDkXU/sendMessage?chat_id=5600682828

Targets

    • Target

      72e7a39bce46e45402cbb4ae13053d57e87a62b06b53164acbe8c18ccf7dc696.exe

    • Size

      1.1MB

    • MD5

      627534bca81ea8cbc73a9ed94df2cf28

    • SHA1

      e0364dccc2030ec72321d648f85713b3b218676f

    • SHA256

      72e7a39bce46e45402cbb4ae13053d57e87a62b06b53164acbe8c18ccf7dc696

    • SHA512

      be76f7dc764bd450fb668a2a1ff66861a72fa653d414091485e085428cb8073fcab202c2f68999fed2909212554572cdbb26b8f5156be2bac2f428508cd3f15c

    • SSDEEP

      12288:u1oAMd6OdKEari+ECZp1hUdQ5dM+OIbuH+Tbdf2GX9PzSnS3FY3Tiiy11gR2w:u186h1OajUSOjevco9P2nuFOOD11g

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks