General

  • Target

    b816aee2dddb815d633c155c46bca42034ee6a1d6cd6a11e95a7613f25c5b573.exe

  • Size

    1.2MB

  • Sample

    240924-mdkawavalb

  • MD5

    a6341915e2399564b7b8c054684eb043

  • SHA1

    2dd341b5cbd71a6422691a0a0cbb66b1831a780e

  • SHA256

    b816aee2dddb815d633c155c46bca42034ee6a1d6cd6a11e95a7613f25c5b573

  • SHA512

    d4025a6f96b2f66a85034cf1adc750796fb130470b3f1ae350ad8cfe30bd2f7cabcef5dc0445e35d18b5980ad9e6e765749bc263d9f85b4839ce634106f52432

  • SSDEEP

    24576:uRmJkcoQricOIQxiZY1iaCCCLMM+xGHB5r+iFvCDJESIWH4hoM:7JZoQrbTFZY1iaCCCLMM+xGHB5JFvCDg

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.r011.com.br
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    akP?=r0&YaA)

Extracted

Family

vipkeylogger

Targets

    • Target

      b816aee2dddb815d633c155c46bca42034ee6a1d6cd6a11e95a7613f25c5b573.exe

    • Size

      1.2MB

    • MD5

      a6341915e2399564b7b8c054684eb043

    • SHA1

      2dd341b5cbd71a6422691a0a0cbb66b1831a780e

    • SHA256

      b816aee2dddb815d633c155c46bca42034ee6a1d6cd6a11e95a7613f25c5b573

    • SHA512

      d4025a6f96b2f66a85034cf1adc750796fb130470b3f1ae350ad8cfe30bd2f7cabcef5dc0445e35d18b5980ad9e6e765749bc263d9f85b4839ce634106f52432

    • SSDEEP

      24576:uRmJkcoQricOIQxiZY1iaCCCLMM+xGHB5r+iFvCDJESIWH4hoM:7JZoQrbTFZY1iaCCCLMM+xGHB5JFvCDg

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks