General

  • Target

    cdd838b45d524d101528eb39a33e581998201df12a62db5c57d550f7dc20b16e.exe

  • Size

    989KB

  • Sample

    240924-mqldpsvelb

  • MD5

    2d9e12038fbc6ecca8d73a6f6d55e7ff

  • SHA1

    15e90442324db3b01818eda28ec701b5f3a23967

  • SHA256

    cdd838b45d524d101528eb39a33e581998201df12a62db5c57d550f7dc20b16e

  • SHA512

    9ac5701e7b585bb536822e64dc6c1177e5d1b38f439fe1899d72b4923b4e045ada7a4f5d45d578893528222b4cbb9a2a6d1f31f6269ed65778f7149c15962862

  • SSDEEP

    12288:ft4SNdTyUNhF0pM/4Uy2xui0M8dpFwVRhDiO9FhOGCJuiCLz8ZGbCh/gjT9vx9uU:L1YMaP1C8GbChy

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7886689522:AAEAstXIGqlMovFdOeUunu3QKnY0TQjsfNU/sendMessage?chat_id=6332556808

Targets

    • Target

      cdd838b45d524d101528eb39a33e581998201df12a62db5c57d550f7dc20b16e.exe

    • Size

      989KB

    • MD5

      2d9e12038fbc6ecca8d73a6f6d55e7ff

    • SHA1

      15e90442324db3b01818eda28ec701b5f3a23967

    • SHA256

      cdd838b45d524d101528eb39a33e581998201df12a62db5c57d550f7dc20b16e

    • SHA512

      9ac5701e7b585bb536822e64dc6c1177e5d1b38f439fe1899d72b4923b4e045ada7a4f5d45d578893528222b4cbb9a2a6d1f31f6269ed65778f7149c15962862

    • SSDEEP

      12288:ft4SNdTyUNhF0pM/4Uy2xui0M8dpFwVRhDiO9FhOGCJuiCLz8ZGbCh/gjT9vx9uU:L1YMaP1C8GbChy

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Drops startup file

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks