General

  • Target

    PAYSLIP.exe

  • Size

    1.2MB

  • Sample

    240924-ya8d3s1epm

  • MD5

    2938cc0b09faea3231faae8793294cda

  • SHA1

    ead974fbe630490f260ad5dfd7084d15b6afba71

  • SHA256

    6b936382994c74fa35aadd7655ea89a20f4ca8ddde9c651f4f6287679979f474

  • SHA512

    3c7c49ff85c9075287a088df92061e096eb595a01e3019ea19f2ddbc2f19602f24dbfa86b43dddd100327648ca66fdf06b9d7c2858e0fd514dff7021fee5a8b3

  • SSDEEP

    24576:pRmJkcoQricOIQxiZY1iaJFsnSe5p42uVti86pa0rL2wREeTrDu:mJZoQrbTFZY1iaJFYYZti8X0/2wREezu

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Password: )NYyffR0

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      PAYSLIP.exe

    • Size

      1.2MB

    • MD5

      2938cc0b09faea3231faae8793294cda

    • SHA1

      ead974fbe630490f260ad5dfd7084d15b6afba71

    • SHA256

      6b936382994c74fa35aadd7655ea89a20f4ca8ddde9c651f4f6287679979f474

    • SHA512

      3c7c49ff85c9075287a088df92061e096eb595a01e3019ea19f2ddbc2f19602f24dbfa86b43dddd100327648ca66fdf06b9d7c2858e0fd514dff7021fee5a8b3

    • SSDEEP

      24576:pRmJkcoQricOIQxiZY1iaJFsnSe5p42uVti86pa0rL2wREeTrDu:mJZoQrbTFZY1iaJFYYZti8X0/2wREezu

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks