General

  • Target

    728471dd6fdd1869a99bfff247c5bf66da0d0185b464a5dbef3ad1e7e58d4980.exe

  • Size

    465KB

  • Sample

    240828-slqeratblf

  • MD5

    395011827c683ed8fc0781a43aa9e214

  • SHA1

    27f26d42f930fb0c48f6459d6f46e8d1eedc8d9c

  • SHA256

    728471dd6fdd1869a99bfff247c5bf66da0d0185b464a5dbef3ad1e7e58d4980

  • SHA512

    cf73d0fa02b5abe26ce2a39f77ff56d22f5351a3d6c403096dd8642c4a518ac9314a32a801d992070198796a328cbb51f4cc4fa121700b89f21c27036e36e306

  • SSDEEP

    12288:qcFfeRdd/zkJpYjX8PgOSN2K45i5ZFFfIv9qvQV:qcJeRdd/zkJOBB4Ihw04V

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      728471dd6fdd1869a99bfff247c5bf66da0d0185b464a5dbef3ad1e7e58d4980.exe

    • Size

      465KB

    • MD5

      395011827c683ed8fc0781a43aa9e214

    • SHA1

      27f26d42f930fb0c48f6459d6f46e8d1eedc8d9c

    • SHA256

      728471dd6fdd1869a99bfff247c5bf66da0d0185b464a5dbef3ad1e7e58d4980

    • SHA512

      cf73d0fa02b5abe26ce2a39f77ff56d22f5351a3d6c403096dd8642c4a518ac9314a32a801d992070198796a328cbb51f4cc4fa121700b89f21c27036e36e306

    • SSDEEP

      12288:qcFfeRdd/zkJpYjX8PgOSN2K45i5ZFFfIv9qvQV:qcJeRdd/zkJOBB4Ihw04V

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks