General

  • Target

    1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72.xls

  • Size

    166KB

  • Sample

    240821-blff4ssgpd

  • MD5

    9ff5d2917f2746bbb0d57e8b0e4ed3b3

  • SHA1

    27489eb0a1052224bf3424f5c44389f34aa59d27

  • SHA256

    1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72

  • SHA512

    183d922c39a61c8f5811afbd1c1a7f7d0b1ed91ecace04ccca761df117a6d19948c64ed2b0580cfb06f7b5a4e50450adde409e1be9c645a454cb0c8ba3d9614e

  • SSDEEP

    3072:7rYpmZjeXnNUKOORV+OTCpMC9+Ts/y6gM03cmTwOCW:vY0cnNdkOudKjMXG

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7121690251:AAEuf5zFrwn6F6mTVPJTwU5P1nN1ULFLElA/sendMessage?chat_id=7071568333

Targets

    • Target

      1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72.xls

    • Size

      166KB

    • MD5

      9ff5d2917f2746bbb0d57e8b0e4ed3b3

    • SHA1

      27489eb0a1052224bf3424f5c44389f34aa59d27

    • SHA256

      1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72

    • SHA512

      183d922c39a61c8f5811afbd1c1a7f7d0b1ed91ecace04ccca761df117a6d19948c64ed2b0580cfb06f7b5a4e50450adde409e1be9c645a454cb0c8ba3d9614e

    • SSDEEP

      3072:7rYpmZjeXnNUKOORV+OTCpMC9+Ts/y6gM03cmTwOCW:vY0cnNdkOudKjMXG

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Evasion via Device Credential Deployment

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks