General

  • Target

    08b45641b13ea906bfc7d47656c28573.bin

  • Size

    649KB

  • Sample

    240901-bc51eawaln

  • MD5

    0d2b703bddf492ff59c61b9e1924cafe

  • SHA1

    2238e86fdb63bc1748253025a99c2d4d2fff062d

  • SHA256

    6315f61070d193057e9c64317e06da463311f7b75e4861927f3c95ea93809208

  • SHA512

    2d60273a1cc4e8eeac412f409db4d180a5e030845c1cbcdd601b26e8e55f29b04551a5718c563e369158a36da8c9397a98c04e45a15ad9a2e4ac49763191b0b2

  • SSDEEP

    12288:vrVn8E3k3KXWMAj+Qw7lHVIONnQcf9TFaM3RbLkZX1aLFPka35Nny:vrVf3lPoBLD4Tx2XiPJZy

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      30507f7743a936de9f2e37f444a6fbfd7f5d684c9d22cd9354d1967e5333a89a.exe

    • Size

      705KB

    • MD5

      08b45641b13ea906bfc7d47656c28573

    • SHA1

      1c8f1759aa3f18b47952cd660542a5a72f522f15

    • SHA256

      30507f7743a936de9f2e37f444a6fbfd7f5d684c9d22cd9354d1967e5333a89a

    • SHA512

      2f70ff6bfeb50231dd7d645b5f9b500f7fd84ed17e3d642896b36c7b985db37046520da04e2ac72704bf31289fedbf3ec8824cc6cbb88675ae888afd56f327b7

    • SSDEEP

      12288:+oW0xqd0fiXOond4GE9FT9rKDScUx7lWPMEyC/e+CMVkigU2kR:+olqdGiXOond1qxKpUB2MEyj+Ppgq

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks