General

  • Target

    4fa229e6da81c93db341d4104744658b85e648a48637932e3154a537dcb6cc5a.exe

  • Size

    883KB

  • Sample

    240828-b3mlrazdmh

  • MD5

    48ccd601598b6372d099d8848d63a7ab

  • SHA1

    e082721fb804b35df17552d331fcdac1bffc7992

  • SHA256

    4fa229e6da81c93db341d4104744658b85e648a48637932e3154a537dcb6cc5a

  • SHA512

    9a62d64edb6ab1d886e1a6c52ddfed6d7282baea9abd972fa6c5b86a3fec1a20bf96202b56572381675070e5aa90d471e20544408ef5aacf7a74c2d71403ad2a

  • SSDEEP

    12288:4v6LRHizSL2m8vJvPgoLzsrbndG1K5lKGH9R12NoqZRIPxgQwYTs:46RCfzRX+r4K5lrPonawYT

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    l!xsPcJ7

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      4fa229e6da81c93db341d4104744658b85e648a48637932e3154a537dcb6cc5a.exe

    • Size

      883KB

    • MD5

      48ccd601598b6372d099d8848d63a7ab

    • SHA1

      e082721fb804b35df17552d331fcdac1bffc7992

    • SHA256

      4fa229e6da81c93db341d4104744658b85e648a48637932e3154a537dcb6cc5a

    • SHA512

      9a62d64edb6ab1d886e1a6c52ddfed6d7282baea9abd972fa6c5b86a3fec1a20bf96202b56572381675070e5aa90d471e20544408ef5aacf7a74c2d71403ad2a

    • SSDEEP

      12288:4v6LRHizSL2m8vJvPgoLzsrbndG1K5lKGH9R12NoqZRIPxgQwYTs:46RCfzRX+r4K5lrPonawYT

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks