General

  • Target

    19150498039.zip

  • Size

    775KB

  • Sample

    240924-lzef3stdpc

  • MD5

    adf1ffa2df1227b5cd28a4874065cc9f

  • SHA1

    abfeafba6c77b25f314b27fd5787d009b295e69c

  • SHA256

    9c42ff6ff60af1d10b894bdefe93d19e6e65e19d71acf6613cc655098d77dcbf

  • SHA512

    26d9f6e665ee3026fe9823b3be19d8535619f5e4951b0a82d14fc8d4f4626146eb5b72ec911a3d14358107164ab010f8883834aefebf95a442fac86c7ea54909

  • SSDEEP

    24576:JKg0lSYQ+U1kqnUXUoafLqHlB4pAyabzkZYpn/A+sgcd/XYA6gXX:JmQ917uAkDh9/kCpn/l/a/pVXX

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.ionos.es
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Forja1997@***

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      53819ffaed1711755829a0644bce9af1d1b00f402577f5a8037f14c318c56a62

    • Size

      865KB

    • MD5

      df9f65c4a6597bcdf42bd3a27d2e8a52

    • SHA1

      6354cf6bf4343b0444f2555b4708e86b735b7aae

    • SHA256

      53819ffaed1711755829a0644bce9af1d1b00f402577f5a8037f14c318c56a62

    • SHA512

      1c00cff2119e75dacac16f05c84b7873ef3122d73394d3f672be36eeea455991226d381ee624445fad6ce9900965af8eeb9a956e300c5d1212a31c7efdc25c5c

    • SSDEEP

      24576:4I8xlaIGg2imDfV2hCvgOM5ESB3PjHzB8:4I8xlaLDfTCEk7G

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks