General

  • Target

    238b48a0994b2bd9e86d0670a02b6c6f7adde932512641b91165c3a489784d00.exe

  • Size

    731KB

  • Sample

    240822-ldy9cssdkq

  • MD5

    6f0e87c46e12499672ae0402ff8a991e

  • SHA1

    63c8801cf96ee9999241b28f101d15da7c4d4b16

  • SHA256

    238b48a0994b2bd9e86d0670a02b6c6f7adde932512641b91165c3a489784d00

  • SHA512

    8d10d8d525886090e5578989d975bbf8f01269adde1a52fb97e5464388bff0fcc041e4b6b52f36e10304d41e6d4575352d5b4085795315d936088eff51396f31

  • SSDEEP

    12288:MWelGoL3rlW4/iTgHhwlL7tlD5+eEv6S6EsUISMJDNw++wA6SS9/rH0os+/EskMj:oTvTiTgHq5+eEB6ELdMBSD6SSZH0n3j

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7514635603:AAFnm0liZNrDoyZysE6fl63uCfuqFuaKPug/sendMessage?chat_id=5116181161

Targets

    • Target

      238b48a0994b2bd9e86d0670a02b6c6f7adde932512641b91165c3a489784d00.exe

    • Size

      731KB

    • MD5

      6f0e87c46e12499672ae0402ff8a991e

    • SHA1

      63c8801cf96ee9999241b28f101d15da7c4d4b16

    • SHA256

      238b48a0994b2bd9e86d0670a02b6c6f7adde932512641b91165c3a489784d00

    • SHA512

      8d10d8d525886090e5578989d975bbf8f01269adde1a52fb97e5464388bff0fcc041e4b6b52f36e10304d41e6d4575352d5b4085795315d936088eff51396f31

    • SSDEEP

      12288:MWelGoL3rlW4/iTgHhwlL7tlD5+eEv6S6EsUISMJDNw++wA6SS9/rH0os+/EskMj:oTvTiTgHq5+eEB6ELdMBSD6SSZH0n3j

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks