General

  • Target

    0b44cef4107229e61686d9dd28adbe4aaa5cb12893b4ad4b805aeb11b47a820b.gz

  • Size

    694KB

  • Sample

    240925-bf9srswanj

  • MD5

    5fab344fde20584e49f715a3a3223bcc

  • SHA1

    6ba59b3ae7f86a689c134b8f0b1a1a93b32b4ea0

  • SHA256

    0b44cef4107229e61686d9dd28adbe4aaa5cb12893b4ad4b805aeb11b47a820b

  • SHA512

    90b014f781eee6f99c5af63eaf69ccbfe45e046fd4a646adce4d6a9965a519e73b017f25ffa6848453a76a90565f0f0a7743f839fb73c8392d8cda9f591d666f

  • SSDEEP

    12288:khp+mj2X3K7x6sJzuVAGiCGy8ONvrcqIH23rp4+8cDoEWL76HjSk5uNzSU//Fv2J:1Z3KNX8eGxGX+voqVt4+8cDoEWL7SjHF

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      NEW PO - 4067543012.exe

    • Size

      854KB

    • MD5

      b15b83f0aca6375277cfd79c3ab96fa1

    • SHA1

      87ef96c2bd2245075082fe695eb164443eff637a

    • SHA256

      cea7e7e11c4340ef167fa673fd12625b48dc1bd5a6b34653f4986b92659a9886

    • SHA512

      38cd17a629867290c2a4305520148be0b742c81256264abd552db1a64318e291bc9a61eb4f06e7c70f5984a4ea4db5f528726684b497a7125304be224a53219a

    • SSDEEP

      24576:yeq3Zk1T8Fvg3K13rxlmGi+z/3hj+ZqVF4+0cD0aWLlYjHDboU:51IF4erVi8fFZpDbWLlYznf

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks