General

  • Target

    03092024_1229_03092024_RFQ-P-19-0341–REP–T0002(MSE).rar

  • Size

    713KB

  • Sample

    240903-pnv68swfpk

  • MD5

    4fbfeaa12671ef66eecf1f6b7e62788a

  • SHA1

    cb7a6391a1bf0e827f6b2b95b6ae537895407254

  • SHA256

    7d86a66b370707f65c3eb588028e2062faddd55897e4e4c738a6bbbeb4a4e819

  • SHA512

    3ebf1fc812f513e7718fb1a1aa58906f49d8bf8bfd78027526ac2951643b249a31163f7b037af8a60039acb027649743a8d4c0ab27ea3b59b125fc40abee930a

  • SSDEEP

    12288:/XqyCw1y9oX4jDzAlLSrHGfVHz9tv/6gvSjhVtzqtJbgK364AHEi0HZDam/jlOz+:/Xq/9oXkD0lQGNHzX/6usOg06hd0y9U

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      SBR48736_SB_rfq.exe

    • Size

      845KB

    • MD5

      66981bac7d6da2a531df16e0e214e227

    • SHA1

      f519c99923a2099d6392a8fc5eada30c22e56638

    • SHA256

      69dd85ece0f1049bafadcf763ff01bd5cac20a40a31db3130d1aae032ae514d8

    • SHA512

      9533b6a252889d11878bc7bfde3235c0e90805946f30e0fc8365789fda4eb79bbe8667f3841caf16373260d506cab2dd52a96209d011d896ac56d8e7cd9d2b5a

    • SSDEEP

      12288:67zjLf30WH0TwOqp0oCJmP6NzTudiFpfiubrYsCmm0aoHkSdTlJqMh73y8FDf8eK:8jj0ywkpTCfEcFp3brYNU7zJX98eRyz

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks