General

  • Target

    126e60b91cfe9668d55982489a68d58a.hta

  • Size

    114KB

  • Sample

    240822-gqb75ssaqe

  • MD5

    126e60b91cfe9668d55982489a68d58a

  • SHA1

    91f9184ea241dbfb0dcb34ac2daf88cdbe9dc3ce

  • SHA256

    75a5173ae9a99933323ffc8f635686739c847933288a1cf465270c8648cee22b

  • SHA512

    7e1444ef6eba825b6a605e5bbb070473d3d21d6e9581d4b0107844555dd390823617cabcc2ed9755c2a9c888c8434176a5f33cf8ecb90673f087da2860346a17

  • SSDEEP

    96:Ea+M7+fHrde7fHrGe8utGkzI5jGghNRTVKfHrcfHr5ejfHrkAT:Ea+QWpCSEGf/hSU96HT

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7121690251:AAEuf5zFrwn6F6mTVPJTwU5P1nN1ULFLElA/sendMessage?chat_id=7071568333

Targets

    • Target

      126e60b91cfe9668d55982489a68d58a.hta

    • Size

      114KB

    • MD5

      126e60b91cfe9668d55982489a68d58a

    • SHA1

      91f9184ea241dbfb0dcb34ac2daf88cdbe9dc3ce

    • SHA256

      75a5173ae9a99933323ffc8f635686739c847933288a1cf465270c8648cee22b

    • SHA512

      7e1444ef6eba825b6a605e5bbb070473d3d21d6e9581d4b0107844555dd390823617cabcc2ed9755c2a9c888c8434176a5f33cf8ecb90673f087da2860346a17

    • SSDEEP

      96:Ea+M7+fHrde7fHrGe8utGkzI5jGghNRTVKfHrcfHr5ejfHrkAT:Ea+QWpCSEGf/hSU96HT

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Evasion via Device Credential Deployment

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks