General
-
Target
75a5173ae9a99933323ffc8f635686739c847933288a1cf465270c8648cee22b.hta
-
Size
114KB
-
Sample
240823-cntxyszfja
-
MD5
126e60b91cfe9668d55982489a68d58a
-
SHA1
91f9184ea241dbfb0dcb34ac2daf88cdbe9dc3ce
-
SHA256
75a5173ae9a99933323ffc8f635686739c847933288a1cf465270c8648cee22b
-
SHA512
7e1444ef6eba825b6a605e5bbb070473d3d21d6e9581d4b0107844555dd390823617cabcc2ed9755c2a9c888c8434176a5f33cf8ecb90673f087da2860346a17
-
SSDEEP
96:Ea+M7+fHrde7fHrGe8utGkzI5jGghNRTVKfHrcfHr5ejfHrkAT:Ea+QWpCSEGf/hSU96HT
Static task
static1
Behavioral task
behavioral1
Sample
75a5173ae9a99933323ffc8f635686739c847933288a1cf465270c8648cee22b.hta
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
75a5173ae9a99933323ffc8f635686739c847933288a1cf465270c8648cee22b.hta
Resource
win10v2004-20240802-en
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7121690251:AAEuf5zFrwn6F6mTVPJTwU5P1nN1ULFLElA/sendMessage?chat_id=7071568333
Targets
-
-
Target
75a5173ae9a99933323ffc8f635686739c847933288a1cf465270c8648cee22b.hta
-
Size
114KB
-
MD5
126e60b91cfe9668d55982489a68d58a
-
SHA1
91f9184ea241dbfb0dcb34ac2daf88cdbe9dc3ce
-
SHA256
75a5173ae9a99933323ffc8f635686739c847933288a1cf465270c8648cee22b
-
SHA512
7e1444ef6eba825b6a605e5bbb070473d3d21d6e9581d4b0107844555dd390823617cabcc2ed9755c2a9c888c8434176a5f33cf8ecb90673f087da2860346a17
-
SSDEEP
96:Ea+M7+fHrde7fHrGe8utGkzI5jGghNRTVKfHrcfHr5ejfHrkAT:Ea+QWpCSEGf/hSU96HT
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Evasion via Device Credential Deployment
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-