General

  • Target

    SecuriteInfo.com.Win32.PWSXgen.14960.5907.exe

  • Size

    832KB

  • Sample

    240903-jsas7s1flk

  • MD5

    9bd377faa139637bb1f576f02f8a7d45

  • SHA1

    b64153525c91bcaf55c9bea3bd95ac00d00152ce

  • SHA256

    0f8e7a0dea80b398195c5b24326a61e51b5a6d5d7658c0a26e67213b24e36911

  • SHA512

    6cfa5aff9cc338a1ade7ab337ef2b7b764b21b9be2d4da93049c16d0f3e09b3677965092bcd5fec74df1fb2761772a04bad7ff0f2b07769c277bddb83648b176

  • SSDEEP

    12288:yEfzjLf30WH0TwOqp0IyMhIClfAYfiX1FtlzFZ2WFuEDJdy7C5fM0F+:Pjj0ywkpqMPYLltFZ2WFJDJZzF+

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      SecuriteInfo.com.Win32.PWSXgen.14960.5907.exe

    • Size

      832KB

    • MD5

      9bd377faa139637bb1f576f02f8a7d45

    • SHA1

      b64153525c91bcaf55c9bea3bd95ac00d00152ce

    • SHA256

      0f8e7a0dea80b398195c5b24326a61e51b5a6d5d7658c0a26e67213b24e36911

    • SHA512

      6cfa5aff9cc338a1ade7ab337ef2b7b764b21b9be2d4da93049c16d0f3e09b3677965092bcd5fec74df1fb2761772a04bad7ff0f2b07769c277bddb83648b176

    • SSDEEP

      12288:yEfzjLf30WH0TwOqp0IyMhIClfAYfiX1FtlzFZ2WFuEDJdy7C5fM0F+:Pjj0ywkpqMPYLltFZ2WFJDJZzF+

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks