General

  • Target

    RFQ September Order PR 29235 doc-pdf.exe

  • Size

    708KB

  • Sample

    240902-n7116azcjm

  • MD5

    2e316adc2bf3db362d2406207937e4ad

  • SHA1

    0fee2d87ae2883de80f16b87c33db23c9eed73c5

  • SHA256

    e1ff6702cd624b36c3af7773ae135cc60ebf55f5ba9d2acfc516e5488a449e95

  • SHA512

    468b472450a96d05ce3ce80db674e3fe55ef58fad57c72abb20e5280f20190e66611f7c1e0b2ae5bda89c21e31f4260df680625737cccac472c95a6528581b18

  • SSDEEP

    12288:1SBKYvI8qPsP3DRXhko1lRB6NWHNZIuKUqLSiLV+n8SeuF4oBDCSaKzx6cquiLfM:AOHkFeolRLHc5LSAV+8mPC8d6cHY+X

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7204444211:AAFfPnSoEnQ7t4FKDH0Jch2gKTwGo4oCCAs/sendMessage?chat_id=2065242915

Targets

    • Target

      RFQ September Order PR 29235 doc-pdf.exe

    • Size

      708KB

    • MD5

      2e316adc2bf3db362d2406207937e4ad

    • SHA1

      0fee2d87ae2883de80f16b87c33db23c9eed73c5

    • SHA256

      e1ff6702cd624b36c3af7773ae135cc60ebf55f5ba9d2acfc516e5488a449e95

    • SHA512

      468b472450a96d05ce3ce80db674e3fe55ef58fad57c72abb20e5280f20190e66611f7c1e0b2ae5bda89c21e31f4260df680625737cccac472c95a6528581b18

    • SSDEEP

      12288:1SBKYvI8qPsP3DRXhko1lRB6NWHNZIuKUqLSiLV+n8SeuF4oBDCSaKzx6cquiLfM:AOHkFeolRLHc5LSAV+8mPC8d6cHY+X

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks