General
-
Target
purchase order.zip
-
Size
751KB
-
Sample
240828-tqslcaxdpr
-
MD5
8cda3620a0aca60bf561ee745c1e95d8
-
SHA1
d4e47b38ec2fc485a86aaef6abe063dbba4225ea
-
SHA256
0fec3c669c7e1f7c180883a01062dc51394a600cb9a087eed466297f3b22eb13
-
SHA512
7377dbc43fbe19fc1e0aa19329e4ff7bfd4075254b6fb6962518e23d01b236dedd72d16deaae45afdde366272c4c4fe179f52b6ef9ed8277672f9c91736285af
-
SSDEEP
12288:Lctx5RNQk3xY0DRoLgep6spqJRWqK6W//FlTWfMd3ClpAvw6y8bNlFDMy1hMKtae:4vNQkhWg42DKBHvT2AS8bXKMvMomOXL9
Static task
static1
Behavioral task
behavioral1
Sample
GCBrnEGE22coKRz.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
GCBrnEGE22coKRz.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
SU#BtOQl4 - Email To:
[email protected]
Targets
-
-
Target
GCBrnEGE22coKRz.exe
-
Size
822KB
-
MD5
5783a1fa182d62eb3838a2e3954a1f36
-
SHA1
eec476fcc102b50390cf983725dbffaee693200e
-
SHA256
a708a6cd710ba79a3dee7a91db6fedf3b3f6da1ab10d6391cc98962ee0904fd1
-
SHA512
31d8cd0fa9f08b7ada602fdd4877c246e892f1d18fdee0cc3e49ac7f293d3b41857009c3a3b97fa14737bdcfa786ed2cdb88b4d5e6383d5f83eda69e5bd4f7d8
-
SSDEEP
12288:XMf55k2851eTl3GpqJTWwK6WP/FlTW/Md3SlpAVF/8CxeYm8ba/DONRoT9H:Xy5xR5VKBXvTUOlNm8bkDD
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2