General

  • Target

    00d929fa445e4b08c8608d31ba99668147718dd31db6d2de3c153a983d05910a

  • Size

    641KB

  • Sample

    240925-ne8kjascrn

  • MD5

    98a9b14f46b84fda5e5ea5d696f6e493

  • SHA1

    1b0829012f848e771e560556f2fe8c85d78b5331

  • SHA256

    00d929fa445e4b08c8608d31ba99668147718dd31db6d2de3c153a983d05910a

  • SHA512

    b11ca0f4f9f40315794d7f5384b2a61ea084ba189dabf1e1fb0217446bdbfc6a1ec542b79104fff8c6cf540e294d1211f134714bd40fbc1fba513655af36008f

  • SSDEEP

    12288:xndxU0dRMTwJI9WjrQzmqedzilf8Bj3gZ6ZTAIcQsifbrT7qEB1cPausr+p74:xndO0LIwQmqeEf8BL1Acv14srN

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    kashmirestore.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    c%P+6,(]YFvP

Extracted

Family

vipkeylogger

Targets

    • Target

      Tech Specifications.pdf.exe

    • Size

      691KB

    • MD5

      5208e8e74ee62d2ea607d8f7d301ea49

    • SHA1

      2990e3d75e1980fa3ac2984a53be2883b19c7e4f

    • SHA256

      3452d7e5972e00e7ec6a2d4e99ab27d45598412280e9a81010a4e8df2f6783aa

    • SHA512

      f69a4473a48e07bc6562d4ca07d69aca449bfdd9ede79297d652188ce35aa9d08e29c2e9a7ba418d7b791d4a824b1cd9cac40b984fbb1bfe435d61221150f976

    • SSDEEP

      12288:PatccGrDGxUvKj+jNYzqYelziLH85jRgfOHT0EcQwWf/rTVW+xSl+Ae/8bQb:wGlKOKqYeyH8Hpz0EhWRlYgI

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks