General

  • Target

    24092024_1127_23092024_PO.zip

  • Size

    851KB

  • Sample

    240924-nkr5qssgqk

  • MD5

    a8d4da7017403fd9a60f037aa47406b8

  • SHA1

    87d38d8fbe41d0670f3722781034ecdf17966301

  • SHA256

    73aab2299c828e5d304c4015189f1d90e7d48e09558eb072a92c7e2b5af1089e

  • SHA512

    e656c1184fae47190082ad0c848795a293342cb51d790d13d16017c09c5e78b1b9f9ed94fe9337dbbd3c2dee89d57708cee0e12fc9b3ece48b91671a3cbea729

  • SSDEEP

    24576:1t7Y8R39qYXC6ruzdR8NBpMiEGtf0/tGgYx4firr2u:1t7Y89qYXC6ruzIlMwtfct5YW6rqu

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Password: )NYyffR0

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      PO.exe

    • Size

      1.2MB

    • MD5

      76bb2880fcbd59252a605dec709b8c57

    • SHA1

      2fb7daa1a191d3bc9bd372772949fb6562205535

    • SHA256

      9d65930a077590c41608d08e362e52740b93aa288c7cb6929dd6daf334afd807

    • SHA512

      70d4afab534487289fd757059f49c2f800e190a8f5b1bafa3a71c4181c831286a758251bfa895b1884fce90673060cfe906543089d7ef6b1f4cf44d61627b9ee

    • SSDEEP

      24576:pRmJkcoQricOIQxiZY1iaXCNgN3pSwE+/fePboIID4fctrNl:mJZoQrbTFZY1iaXj/S6/fKb9Ik0thl

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks