General

  • Target

    summary_report_0298762tg.RXX.PDF.Z

  • Size

    635KB

  • Sample

    240924-kb39vsxdmp

  • MD5

    1322136f8c0f5d9cf613870d7acfeb43

  • SHA1

    7ab519d32c380c098e6b800189ae14da1ee6fcf1

  • SHA256

    1e27330d41cf2bc0195c050af7b4d42f321752727cf1117332e446a0246fec3e

  • SHA512

    e704d45f138aa75a7982f984f12fb471ed02437a50361b9f753496dce44b47c517d680eec2d6e141b16cea9babd065cfe97ee5b2c42de9f031e63369c3566d13

  • SSDEEP

    12288:QBUI1iUlr5dcNA5cK+NWK0p12dir4UUH+PLLsY2n1Ui3lLLGieJUeyK:QBV1J3f58Ep12disfH+jLX2nxl5cqK

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7331041604:AAE-Us7UbUFSJts_TZoHHXgsfP7KSC7d5do/sendMessage?chat_id=7422462541

Targets

    • Target

      summary_report_0298762tg.exe

    • Size

      684KB

    • MD5

      07f6ab2cc7e02e5b7eb3a1c1df9feb81

    • SHA1

      b1b285b06f48639161e5496a7faac584ac8542e7

    • SHA256

      d843feb33765df99f544515b6bcdffea27cb47a5a14f3b9ae50114b09fb6581d

    • SHA512

      562fa48f630061d0abe95896bd4580eae4b7af07c81f28cc042e5d3f59d7c5bbb13431032ff56863d483697157bb75b7bd5cc9b9368fd54e948d03ec75f8110b

    • SSDEEP

      12288:gJLdutCi+h12jplguYFeg3XbIaVCNfO5Rz9Z9cWqv8l58bQbn:gJLQCiVjplMbz8NOBD9ms2I

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks