General

  • Target

    1d2630f2a42e681f3f40139eb4b30458e1487ca38f5ac6d92a06dc127c4a2f66.exe

  • Size

    777KB

  • Sample

    240823-k9qreswbpc

  • MD5

    12ead7ca520aa563acfc82f1cf12558d

  • SHA1

    fb5bbcb1e29d8a73e5517c50bbfd5570d66b61cf

  • SHA256

    1d2630f2a42e681f3f40139eb4b30458e1487ca38f5ac6d92a06dc127c4a2f66

  • SHA512

    6d60addd463aeb7a6b87baab35577bf06012e18973fcb92b7c899d7b4c5f988c37cddc434fb4ea650e59179714f70c4537d83716eab48e9ce9a4ebf1b0dcfc1b

  • SSDEEP

    12288:iLwloL3rlW4smxOdAZ6vnN9ytnzqc/fZhNkR+M4fEOl9oxI+XvSPXvqtvYSkSskR:nyvI7bV9wz/kR9lOUfiX6F

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.cristalee.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    vVafScNlLB

Extracted

Family

vipkeylogger

Credentials
C2

https://api.telegram.org/bot6328369484:AAGfu7CzI26SlUIo2R4VmGTXCS_XV2LzGAs/sendMessage?chat_id=5590894570

Targets

    • Target

      1d2630f2a42e681f3f40139eb4b30458e1487ca38f5ac6d92a06dc127c4a2f66.exe

    • Size

      777KB

    • MD5

      12ead7ca520aa563acfc82f1cf12558d

    • SHA1

      fb5bbcb1e29d8a73e5517c50bbfd5570d66b61cf

    • SHA256

      1d2630f2a42e681f3f40139eb4b30458e1487ca38f5ac6d92a06dc127c4a2f66

    • SHA512

      6d60addd463aeb7a6b87baab35577bf06012e18973fcb92b7c899d7b4c5f988c37cddc434fb4ea650e59179714f70c4537d83716eab48e9ce9a4ebf1b0dcfc1b

    • SSDEEP

      12288:iLwloL3rlW4smxOdAZ6vnN9ytnzqc/fZhNkR+M4fEOl9oxI+XvSPXvqtvYSkSskR:nyvI7bV9wz/kR9lOUfiX6F

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks