General

  • Target

    r8x1WvSkbWSUjXh6.exe

  • Size

    866KB

  • Sample

    240924-31p3mswbrb

  • MD5

    c879654588bd4565c5fad8f5dfb8b215

  • SHA1

    8126a81f70c3b50a03c6d52e3ae49847d6094e24

  • SHA256

    c8791fedcdf980a4ac1547529ebeee841fe074b274df52cfeb0fe8aad338c0dd

  • SHA512

    078ab4846262bf1add41745638f9262f4e34278d0005e81d5f86023a4569176ab27f264d61ed519256f76783b193131b7e4482391bf7be12e12b831cccb1a25d

  • SSDEEP

    24576:cgvjxla2YbUOS53Unw4PTN11R25GcCnIVywXYFGgVq:cwjxla2YbUOS+wwJvIcc6gXv

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.ionos.es
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Lmsv26061965@

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      r8x1WvSkbWSUjXh6.exe

    • Size

      866KB

    • MD5

      c879654588bd4565c5fad8f5dfb8b215

    • SHA1

      8126a81f70c3b50a03c6d52e3ae49847d6094e24

    • SHA256

      c8791fedcdf980a4ac1547529ebeee841fe074b274df52cfeb0fe8aad338c0dd

    • SHA512

      078ab4846262bf1add41745638f9262f4e34278d0005e81d5f86023a4569176ab27f264d61ed519256f76783b193131b7e4482391bf7be12e12b831cccb1a25d

    • SSDEEP

      24576:cgvjxla2YbUOS53Unw4PTN11R25GcCnIVywXYFGgVq:cwjxla2YbUOS+wwJvIcc6gXv

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks