General

  • Target

    241e1365a1167e6e5ca9d489cad6867fb44196d60473f679888a0a3cfbb93a35.zip

  • Size

    889KB

  • Sample

    240925-bq2vxazakc

  • MD5

    9165274d1fe53a3529567d7edfc0579c

  • SHA1

    f0e6fe9ae846bb7769437bb079e1f467c4e84921

  • SHA256

    241e1365a1167e6e5ca9d489cad6867fb44196d60473f679888a0a3cfbb93a35

  • SHA512

    b03e69e7d9ad693c483f07dea93f097ebc04b7933ca182d003aa6f1e75ca2f2d82ef9cf07b4b4f654f8ca706e22ec1a5274bbbc7db5a927a8eb1090d4c927e35

  • SSDEEP

    24576:nt7Y8R39qYXC6ruzW1I7N4GtqWx3XpxxZ:nt7Y89qYXC6ruzWaNqenpxxZ

Malware Config

Extracted

Family

vipkeylogger

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Password: )NYyffR0

Targets

    • Target

      SWIFT COPY.exe

    • Size

      1.2MB

    • MD5

      d138e7f7d5e29f416b7b04e4f7567d11

    • SHA1

      4ed5d9329f6d190936ba3065b75bd90c7f83d04b

    • SHA256

      b265a1d4698c08fe197c6cfed56a7a23adae05fdd25a4917ff5354e537f698d9

    • SHA512

      9aca54e79a967ed2d22bcc92d759e934aa39c407bd3d2d42795d285aaa52030205215965bb56f639f18bbaaaf4a9e4247834f935600d2455830f74b19c1d7afc

    • SSDEEP

      24576:pRmJkcoQricOIQxiZY1iaXSnI7XSMXGGXb3jZFR:mJZoQrbTFZY1iaXS4rGozjZFR

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks