General
-
Target
238b48a0994b2bd9e86d0670a02b6c6f7adde932512641b91165c3a489784d00.exe
-
Size
731KB
-
Sample
240822-ldy9cssdkq
-
MD5
6f0e87c46e12499672ae0402ff8a991e
-
SHA1
63c8801cf96ee9999241b28f101d15da7c4d4b16
-
SHA256
238b48a0994b2bd9e86d0670a02b6c6f7adde932512641b91165c3a489784d00
-
SHA512
8d10d8d525886090e5578989d975bbf8f01269adde1a52fb97e5464388bff0fcc041e4b6b52f36e10304d41e6d4575352d5b4085795315d936088eff51396f31
-
SSDEEP
12288:MWelGoL3rlW4/iTgHhwlL7tlD5+eEv6S6EsUISMJDNw++wA6SS9/rH0os+/EskMj:oTvTiTgHq5+eEB6ELdMBSD6SSZH0n3j
Static task
static1
Behavioral task
behavioral1
Sample
238b48a0994b2bd9e86d0670a02b6c6f7adde932512641b91165c3a489784d00.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
238b48a0994b2bd9e86d0670a02b6c6f7adde932512641b91165c3a489784d00.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7514635603:AAFnm0liZNrDoyZysE6fl63uCfuqFuaKPug/sendMessage?chat_id=5116181161
Targets
-
-
Target
238b48a0994b2bd9e86d0670a02b6c6f7adde932512641b91165c3a489784d00.exe
-
Size
731KB
-
MD5
6f0e87c46e12499672ae0402ff8a991e
-
SHA1
63c8801cf96ee9999241b28f101d15da7c4d4b16
-
SHA256
238b48a0994b2bd9e86d0670a02b6c6f7adde932512641b91165c3a489784d00
-
SHA512
8d10d8d525886090e5578989d975bbf8f01269adde1a52fb97e5464388bff0fcc041e4b6b52f36e10304d41e6d4575352d5b4085795315d936088eff51396f31
-
SSDEEP
12288:MWelGoL3rlW4/iTgHhwlL7tlD5+eEv6S6EsUISMJDNw++wA6SS9/rH0os+/EskMj:oTvTiTgHq5+eEB6ELdMBSD6SSZH0n3j
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-