General

  • Target

    a4004b765b4e62bd32933c91301f783d2b864bbb45cf9ae35f0b6681078bb40d.xls

  • Size

    331KB

  • Sample

    240822-ckg4zsxalq

  • MD5

    02b90b88aed63a901dbcb9f1c06e34c1

  • SHA1

    0744024e070c8840acf9f787c18d279c242d1734

  • SHA256

    a4004b765b4e62bd32933c91301f783d2b864bbb45cf9ae35f0b6681078bb40d

  • SHA512

    b9394b6b59287940a94faceda10c584aae3155765e4bb88bbda4b04fe3bc23a1bf44951398ba723913c2c0c661a77c3efb6b000ff5a2efc312dc95c4bf81f901

  • SSDEEP

    6144:c/WOvPZ8NdyOseQAz1Wapbb2zIFhzBvxaLqRRZYj+oUzCJeYILmCL1P:IWOX+PsJAz1p9fhzBIqRR4+BYILt1

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7121690251:AAEuf5zFrwn6F6mTVPJTwU5P1nN1ULFLElA/sendMessage?chat_id=7071568333

Targets

    • Target

      a4004b765b4e62bd32933c91301f783d2b864bbb45cf9ae35f0b6681078bb40d.xls

    • Size

      331KB

    • MD5

      02b90b88aed63a901dbcb9f1c06e34c1

    • SHA1

      0744024e070c8840acf9f787c18d279c242d1734

    • SHA256

      a4004b765b4e62bd32933c91301f783d2b864bbb45cf9ae35f0b6681078bb40d

    • SHA512

      b9394b6b59287940a94faceda10c584aae3155765e4bb88bbda4b04fe3bc23a1bf44951398ba723913c2c0c661a77c3efb6b000ff5a2efc312dc95c4bf81f901

    • SSDEEP

      6144:c/WOvPZ8NdyOseQAz1Wapbb2zIFhzBvxaLqRRZYj+oUzCJeYILmCL1P:IWOX+PsJAz1p9fhzBIqRR4+BYILt1

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Evasion via Device Credential Deployment

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks