General
-
Target
03092024_1229_03092024_RFQ-P-19-0341–REP–T0002(MSE).rar
-
Size
713KB
-
Sample
240903-pnv68swfpk
-
MD5
4fbfeaa12671ef66eecf1f6b7e62788a
-
SHA1
cb7a6391a1bf0e827f6b2b95b6ae537895407254
-
SHA256
7d86a66b370707f65c3eb588028e2062faddd55897e4e4c738a6bbbeb4a4e819
-
SHA512
3ebf1fc812f513e7718fb1a1aa58906f49d8bf8bfd78027526ac2951643b249a31163f7b037af8a60039acb027649743a8d4c0ab27ea3b59b125fc40abee930a
-
SSDEEP
12288:/XqyCw1y9oX4jDzAlLSrHGfVHz9tv/6gvSjhVtzqtJbgK364AHEi0HZDam/jlOz+:/Xq/9oXkD0lQGNHzX/6usOg06hd0y9U
Static task
static1
Behavioral task
behavioral1
Sample
SBR48736_SB_rfq.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
SBR48736_SB_rfq.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
195.54.163.133 - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@ - Email To:
[email protected]
Targets
-
-
Target
SBR48736_SB_rfq.exe
-
Size
845KB
-
MD5
66981bac7d6da2a531df16e0e214e227
-
SHA1
f519c99923a2099d6392a8fc5eada30c22e56638
-
SHA256
69dd85ece0f1049bafadcf763ff01bd5cac20a40a31db3130d1aae032ae514d8
-
SHA512
9533b6a252889d11878bc7bfde3235c0e90805946f30e0fc8365789fda4eb79bbe8667f3841caf16373260d506cab2dd52a96209d011d896ac56d8e7cd9d2b5a
-
SSDEEP
12288:67zjLf30WH0TwOqp0oCJmP6NzTudiFpfiubrYsCmm0aoHkSdTlJqMh73y8FDf8eK:8jj0ywkpTCfEcFp3brYNU7zJX98eRyz
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2