General

  • Target

    eeb9eaa7c9263d1929f0d89632bd5840N.exe

  • Size

    753KB

  • Sample

    240831-p68kaavbmb

  • MD5

    eeb9eaa7c9263d1929f0d89632bd5840

  • SHA1

    686ebf09e77cf107c401aa02a9d1722df9980d80

  • SHA256

    0c1bdf786717b3df2e77a2452ea51c444f933d3e61e01cc39c4f838dbae10e61

  • SHA512

    246bf52df60ee87a5bd573bf57889201a5e7d9eb2268767148670eff8cf8f4e81c4b4fdcab510cf4d3f73208246147e8971fe17717f404929ec6d099b4936e30

  • SSDEEP

    12288:CnXHtVIaz6RIAjIksvGhtYdjXZaP7U9fYChErWm8MRJCrvrORsUj2bi98FAb0:CnXHzX6vIksvecjQTUCMECmyCBab08Q

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      eeb9eaa7c9263d1929f0d89632bd5840N.exe

    • Size

      753KB

    • MD5

      eeb9eaa7c9263d1929f0d89632bd5840

    • SHA1

      686ebf09e77cf107c401aa02a9d1722df9980d80

    • SHA256

      0c1bdf786717b3df2e77a2452ea51c444f933d3e61e01cc39c4f838dbae10e61

    • SHA512

      246bf52df60ee87a5bd573bf57889201a5e7d9eb2268767148670eff8cf8f4e81c4b4fdcab510cf4d3f73208246147e8971fe17717f404929ec6d099b4936e30

    • SSDEEP

      12288:CnXHtVIaz6RIAjIksvGhtYdjXZaP7U9fYChErWm8MRJCrvrORsUj2bi98FAb0:CnXHzX6vIksvecjQTUCMECmyCBab08Q

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks