General

  • Target

    2240902473.pdf.exe

  • Size

    703KB

  • Sample

    240924-rsfcpayeqm

  • MD5

    d48a40e1ebe635d7368017c6fe020f09

  • SHA1

    3c66aa4de1f6d27f5ac9c01eae8f92bda4ba2417

  • SHA256

    27336a02b8be0e210cae46d680509f78bff16d64f653925b55a11cc837341eea

  • SHA512

    d0c8e024c3ed345b2a1dead2d524c93b04da95ea41dbbd7c2f7e1114def9440f9308918366e0febec22b385aece156dc1853b7f71fbe7cb82cbfa9e89ada3a56

  • SSDEEP

    12288:9dOsd0DUdUAum4zaLLp/Jy+ft1be4qcWsAXxcnrC/bZQMglIMw5:Csd0IdT4GLFxy+lIpD6uNoIt

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.ionos.fr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Rajahsouthfruits5

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      2240902473.pdf.exe

    • Size

      703KB

    • MD5

      d48a40e1ebe635d7368017c6fe020f09

    • SHA1

      3c66aa4de1f6d27f5ac9c01eae8f92bda4ba2417

    • SHA256

      27336a02b8be0e210cae46d680509f78bff16d64f653925b55a11cc837341eea

    • SHA512

      d0c8e024c3ed345b2a1dead2d524c93b04da95ea41dbbd7c2f7e1114def9440f9308918366e0febec22b385aece156dc1853b7f71fbe7cb82cbfa9e89ada3a56

    • SSDEEP

      12288:9dOsd0DUdUAum4zaLLp/Jy+ft1be4qcWsAXxcnrC/bZQMglIMw5:Csd0IdT4GLFxy+lIpD6uNoIt

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks