General

  • Target

    Bukti-Transfer.vbs

  • Size

    9KB

  • Sample

    240828-fhzg2awapf

  • MD5

    11a8dbecbeb35ba5652b8fd4a9cefc9d

  • SHA1

    8ec32ebe929a907ce8c19433e5c5a6f48f7639c1

  • SHA256

    7441ee61db5f1ca3b26cf09df0763fed9f959b30970be46497e17f8470cb57a6

  • SHA512

    48dc0edf68d4a1f9d70a348a50aa93f8c42928a44a76709a34c641f8a04d3d97ed1fa98ac8aeab2d0ee41588597960ff81109e6e408503d3c4bd7ea96d4d5450

  • SSDEEP

    48:FeuekJeueheueRFF0euejzFF1Le8m3eNeueo:0jkAjYjbjM8mO8jo

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      Bukti-Transfer.vbs

    • Size

      9KB

    • MD5

      11a8dbecbeb35ba5652b8fd4a9cefc9d

    • SHA1

      8ec32ebe929a907ce8c19433e5c5a6f48f7639c1

    • SHA256

      7441ee61db5f1ca3b26cf09df0763fed9f959b30970be46497e17f8470cb57a6

    • SHA512

      48dc0edf68d4a1f9d70a348a50aa93f8c42928a44a76709a34c641f8a04d3d97ed1fa98ac8aeab2d0ee41588597960ff81109e6e408503d3c4bd7ea96d4d5450

    • SSDEEP

      48:FeuekJeueheueRFF0euejzFF1Le8m3eNeueo:0jkAjYjbjM8mO8jo

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks