General

  • Target

    07daf4cb7c5be4fdfae01ec1d1b8b875a0acd0f9c04326585dc64afe31811260.z

  • Size

    648KB

  • Sample

    240831-bd6y4axaln

  • MD5

    e3817372d710ab679df5848af6fff070

  • SHA1

    5a05cb02d7ea7a32a6c29ad76793ee880596dd8d

  • SHA256

    07daf4cb7c5be4fdfae01ec1d1b8b875a0acd0f9c04326585dc64afe31811260

  • SHA512

    c26729e006e7f50c7d234a81be39f6ba50a2eb3a761a452768e26505aa17826798272d3cbdbbbae7645006dc6eb90510c403b95cf0cfe2fc4bcd1a78b9425a4b

  • SSDEEP

    12288:4WDs71+zoDieJQSW9iXaCG809Rg8xItmQ2/tYewu0QDOvwdgDbLHrsHN4JNIFbH3:4WI+zoOsW32eVIVu0QDO4d0bva4LOHXn

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      INQUIRY.exe

    • Size

      705KB

    • MD5

      08b45641b13ea906bfc7d47656c28573

    • SHA1

      1c8f1759aa3f18b47952cd660542a5a72f522f15

    • SHA256

      30507f7743a936de9f2e37f444a6fbfd7f5d684c9d22cd9354d1967e5333a89a

    • SHA512

      2f70ff6bfeb50231dd7d645b5f9b500f7fd84ed17e3d642896b36c7b985db37046520da04e2ac72704bf31289fedbf3ec8824cc6cbb88675ae888afd56f327b7

    • SSDEEP

      12288:+oW0xqd0fiXOond4GE9FT9rKDScUx7lWPMEyC/e+CMVkigU2kR:+olqdGiXOond1qxKpUB2MEyj+Ppgq

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks