vipkeylogger | 4fafedefad4ed526fe39782e0c0237a66044e201ac71e38da25d46ac99e76db8 | Triage

Sharing

General

Target

4fafedefad4ed526fe39782e0c0237a66044e201ac71e38da25d46ac99e76db8.exe
Size

733KB
Sample

240823-ll45ksygrq
MD5

b62eef3130fccdcecbbbeaecaf335ffd
SHA1

2edcffe4f4f034ae946f136151dee1e44957cf66
SHA256

4fafedefad4ed526fe39782e0c0237a66044e201ac71e38da25d46ac99e76db8
SHA512

b07a295adb725b9baf39b6dad453758a5c8b1ce5a544814a8692cd4754dd36918f873fffcef52109a094012aba74f835eec83a6baeb0f6de860d8676c529b354
SSDEEP

12288:noL3rlW4qZ1Yu+tT5lcU+I6Fe7BfSuwTNgRwUp7E8qcwJiidk43GgHZN0:ovd5lcU+I6Fe9fBQK6aEwEi8V5N0

Score

10^/10

vipkeylogger collection credential_access discovery execution keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7514635603:AAFnm0liZNrDoyZysE6fl63uCfuqFuaKPug/sendMessage?chat_id=5116181161

Targets

- Target
  
  4fafedefad4ed526fe39782e0c0237a66044e201ac71e38da25d46ac99e76db8.exe
- Size
  
  733KB
- MD5
  
  b62eef3130fccdcecbbbeaecaf335ffd
- SHA1
  
  2edcffe4f4f034ae946f136151dee1e44957cf66
- SHA256
  
  4fafedefad4ed526fe39782e0c0237a66044e201ac71e38da25d46ac99e76db8
- SHA512
  
  b07a295adb725b9baf39b6dad453758a5c8b1ce5a544814a8692cd4754dd36918f873fffcef52109a094012aba74f835eec83a6baeb0f6de860d8676c529b354
- SSDEEP
  
  12288:noL3rlW4qZ1Yu+tT5lcU+I6Fe7BfSuwTNgRwUp7E8qcwJiidk43GgHZN0:ovd5lcU+I6Fe9fBQK6aEwEi8V5N0
Score

10^/10

vipkeylogger collection credential_access discovery execution keylogger stealer
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vipkeyloggercollectioncredential_accessdiscoveryexecutionkeyloggerstealer

behavioral2

vipkeyloggercollectioncredential_accessdiscoveryexecutionkeyloggerstealer