General
-
Target
19150498039.zip
-
Size
775KB
-
Sample
240924-lzef3stdpc
-
MD5
adf1ffa2df1227b5cd28a4874065cc9f
-
SHA1
abfeafba6c77b25f314b27fd5787d009b295e69c
-
SHA256
9c42ff6ff60af1d10b894bdefe93d19e6e65e19d71acf6613cc655098d77dcbf
-
SHA512
26d9f6e665ee3026fe9823b3be19d8535619f5e4951b0a82d14fc8d4f4626146eb5b72ec911a3d14358107164ab010f8883834aefebf95a442fac86c7ea54909
-
SSDEEP
24576:JKg0lSYQ+U1kqnUXUoafLqHlB4pAyabzkZYpn/A+sgcd/XYA6gXX:JmQ917uAkDh9/kCpn/l/a/pVXX
Static task
static1
Behavioral task
behavioral1
Sample
53819ffaed1711755829a0644bce9af1d1b00f402577f5a8037f14c318c56a62.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
53819ffaed1711755829a0644bce9af1d1b00f402577f5a8037f14c318c56a62.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
Forja1997@***
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
Forja1997@*** - Email To:
[email protected]
Targets
-
-
Target
53819ffaed1711755829a0644bce9af1d1b00f402577f5a8037f14c318c56a62
-
Size
865KB
-
MD5
df9f65c4a6597bcdf42bd3a27d2e8a52
-
SHA1
6354cf6bf4343b0444f2555b4708e86b735b7aae
-
SHA256
53819ffaed1711755829a0644bce9af1d1b00f402577f5a8037f14c318c56a62
-
SHA512
1c00cff2119e75dacac16f05c84b7873ef3122d73394d3f672be36eeea455991226d381ee624445fad6ce9900965af8eeb9a956e300c5d1212a31c7efdc25c5c
-
SSDEEP
24576:4I8xlaIGg2imDfV2hCvgOM5ESB3PjHzB8:4I8xlaLDfTCEk7G
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2