General

  • Target

    24092024_1032_22092024_POI98765678000.doc.x.lz

  • Size

    703KB

  • Sample

    240924-mk4cbsvcnh

  • MD5

    3130fd1187e0ba2aaf68328f9c345d02

  • SHA1

    06bd553b01422508fcbedb3b06c51986b48ab8d7

  • SHA256

    2e6fed58744ebe87823d694952059043451f868c4b7dbf77f40be701d5fc196b

  • SHA512

    3b2cbe475a88be4faa3e6dbfb55dbca27f9956ae3dbec55c0b665520440753f4aa0436745b0c14281ac2455c9ce8dad7adbe7449d87ab18b83713ea0f6f7621d

  • SSDEEP

    12288:ozibDj2/BNywbkGbKZe0+dN18avv1AoyANxRWteitBJmpKqRMSP3/1POv0jtRDX:oObDjCBYwb3KZcdTAo7Pme4DiKqRMSPR

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendMessage?chat_id=6443825857

Targets

    • Target

      POI98765678000.exe

    • Size

      793KB

    • MD5

      a02df126a5c561196250dd3c90d0a0c3

    • SHA1

      ca785dd363f65458d665cccbc6df83c846162673

    • SHA256

      ffede3ac9d80782857a477bc5c6df65b31c193734ccfe5ab29bbfa3bc8649fea

    • SHA512

      1103ec84e840e00fb8c648c677c20de3c5c8381671009166826009e307316d7fabef0f5a8511d5d07710e8ce2a942e083b050fcdfd2a42bb38f0c8e0ff1aedc5

    • SSDEEP

      24576:etzxlaIGgVhChb+U7KgElt+MqRMKPRJAmo:etzxlaz/iT+xPRJS

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks