General

  • Target

    e3817372d710ab679df5848af6fff070.bin

  • Size

    648KB

  • Sample

    240901-cayc8ayanr

  • MD5

    56d77eaed8313b06f6f3dcca05465d6f

  • SHA1

    f69175aed3df29cd59d15e6433f8703e03c6178e

  • SHA256

    3833749a6877ac2c7206d591d74715a5e919ad2af1a811b17ad2c7c07c574bae

  • SHA512

    38ef33e3ba16ba41bfb41f10d7cb45720944bf326d6e9b4c0e755dc14cc2bb2d6c3e2875f8cbc48323c777200652a0a6d1217a1f0c5ac5a41ebab4ec63373a31

  • SSDEEP

    12288:HiEnqIKQ72E35/nqt71R1srQ+zowQXUmK6KW2nwywD3z0tX6xJAumc55d:592E35/nqRv1spzYUmvKB8D3yyAxg5d

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      INQUIRY.exe

    • Size

      705KB

    • MD5

      08b45641b13ea906bfc7d47656c28573

    • SHA1

      1c8f1759aa3f18b47952cd660542a5a72f522f15

    • SHA256

      30507f7743a936de9f2e37f444a6fbfd7f5d684c9d22cd9354d1967e5333a89a

    • SHA512

      2f70ff6bfeb50231dd7d645b5f9b500f7fd84ed17e3d642896b36c7b985db37046520da04e2ac72704bf31289fedbf3ec8824cc6cbb88675ae888afd56f327b7

    • SSDEEP

      12288:+oW0xqd0fiXOond4GE9FT9rKDScUx7lWPMEyC/e+CMVkigU2kR:+olqdGiXOond1qxKpUB2MEyj+Ppgq

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks