General
-
Target
1d2630f2a42e681f3f40139eb4b30458e1487ca38f5ac6d92a06dc127c4a2f66.exe
-
Size
777KB
-
Sample
240823-bkf19axeqf
-
MD5
12ead7ca520aa563acfc82f1cf12558d
-
SHA1
fb5bbcb1e29d8a73e5517c50bbfd5570d66b61cf
-
SHA256
1d2630f2a42e681f3f40139eb4b30458e1487ca38f5ac6d92a06dc127c4a2f66
-
SHA512
6d60addd463aeb7a6b87baab35577bf06012e18973fcb92b7c899d7b4c5f988c37cddc434fb4ea650e59179714f70c4537d83716eab48e9ce9a4ebf1b0dcfc1b
-
SSDEEP
12288:iLwloL3rlW4smxOdAZ6vnN9ytnzqc/fZhNkR+M4fEOl9oxI+XvSPXvqtvYSkSskR:nyvI7bV9wz/kR9lOUfiX6F
Static task
static1
Behavioral task
behavioral1
Sample
1d2630f2a42e681f3f40139eb4b30458e1487ca38f5ac6d92a06dc127c4a2f66.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
1d2630f2a42e681f3f40139eb4b30458e1487ca38f5ac6d92a06dc127c4a2f66.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.cristalee.com - Port:
587 - Username:
[email protected] - Password:
vVafScNlLB
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.cristalee.com - Port:
587 - Username:
[email protected] - Password:
vVafScNlLB - Email To:
[email protected]
https://api.telegram.org/bot6328369484:AAGfu7CzI26SlUIo2R4VmGTXCS_XV2LzGAs/sendMessage?chat_id=5590894570
Targets
-
-
Target
1d2630f2a42e681f3f40139eb4b30458e1487ca38f5ac6d92a06dc127c4a2f66.exe
-
Size
777KB
-
MD5
12ead7ca520aa563acfc82f1cf12558d
-
SHA1
fb5bbcb1e29d8a73e5517c50bbfd5570d66b61cf
-
SHA256
1d2630f2a42e681f3f40139eb4b30458e1487ca38f5ac6d92a06dc127c4a2f66
-
SHA512
6d60addd463aeb7a6b87baab35577bf06012e18973fcb92b7c899d7b4c5f988c37cddc434fb4ea650e59179714f70c4537d83716eab48e9ce9a4ebf1b0dcfc1b
-
SSDEEP
12288:iLwloL3rlW4smxOdAZ6vnN9ytnzqc/fZhNkR+M4fEOl9oxI+XvSPXvqtvYSkSskR:nyvI7bV9wz/kR9lOUfiX6F
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-