General

  • Target

    Shipping Documents-pdf.exe

  • Size

    723KB

  • Sample

    240903-pb17qaxdpd

  • MD5

    13391873117bb69417afa5f8b1fd42bc

  • SHA1

    a0d659472cf2860b8efb1355d40cfaf52b6b9a82

  • SHA256

    f1f812cecd0c3a44a3bdca6720dacd7c572ab9bde801be98c521ab89b20c97d7

  • SHA512

    dec21d6a7b860f75e66be3b5d4ffce73b8c1d5dafe9bccd1f1346b115788c54d52cf5fe1fa391dbdfd41f67cad48a6665fe936fad36a031ff6fbcca3f8fe7569

  • SSDEEP

    12288:hozjLf30WH0WLecBK3HqUIH+oA0q5DnjnwLQytecloJEsWME+i:hmjj0ylHB9H+oA0qpjwLQyteLEsWME+i

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7204444211:AAFfPnSoEnQ7t4FKDH0Jch2gKTwGo4oCCAs/sendMessage?chat_id=2065242915

Targets

    • Target

      Shipping Documents-pdf.exe

    • Size

      723KB

    • MD5

      13391873117bb69417afa5f8b1fd42bc

    • SHA1

      a0d659472cf2860b8efb1355d40cfaf52b6b9a82

    • SHA256

      f1f812cecd0c3a44a3bdca6720dacd7c572ab9bde801be98c521ab89b20c97d7

    • SHA512

      dec21d6a7b860f75e66be3b5d4ffce73b8c1d5dafe9bccd1f1346b115788c54d52cf5fe1fa391dbdfd41f67cad48a6665fe936fad36a031ff6fbcca3f8fe7569

    • SSDEEP

      12288:hozjLf30WH0WLecBK3HqUIH+oA0q5DnjnwLQytecloJEsWME+i:hmjj0ylHB9H+oA0qpjwLQyteLEsWME+i

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks