General
-
Target
1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72.xls
-
Size
166KB
-
Sample
240821-blff4ssgpd
-
MD5
9ff5d2917f2746bbb0d57e8b0e4ed3b3
-
SHA1
27489eb0a1052224bf3424f5c44389f34aa59d27
-
SHA256
1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72
-
SHA512
183d922c39a61c8f5811afbd1c1a7f7d0b1ed91ecace04ccca761df117a6d19948c64ed2b0580cfb06f7b5a4e50450adde409e1be9c645a454cb0c8ba3d9614e
-
SSDEEP
3072:7rYpmZjeXnNUKOORV+OTCpMC9+Ts/y6gM03cmTwOCW:vY0cnNdkOudKjMXG
Static task
static1
Behavioral task
behavioral1
Sample
1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72.xls
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72.xls
Resource
win10v2004-20240802-en
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7121690251:AAEuf5zFrwn6F6mTVPJTwU5P1nN1ULFLElA/sendMessage?chat_id=7071568333
Targets
-
-
Target
1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72.xls
-
Size
166KB
-
MD5
9ff5d2917f2746bbb0d57e8b0e4ed3b3
-
SHA1
27489eb0a1052224bf3424f5c44389f34aa59d27
-
SHA256
1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72
-
SHA512
183d922c39a61c8f5811afbd1c1a7f7d0b1ed91ecace04ccca761df117a6d19948c64ed2b0580cfb06f7b5a4e50450adde409e1be9c645a454cb0c8ba3d9614e
-
SSDEEP
3072:7rYpmZjeXnNUKOORV+OTCpMC9+Ts/y6gM03cmTwOCW:vY0cnNdkOudKjMXG
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Evasion via Device Credential Deployment
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-