General

  • Target

    z30OrderRFQ.exe

  • Size

    1.2MB

  • Sample

    240925-np187swfje

  • MD5

    dbd8d3c12d6fce47889e004ba21a8b88

  • SHA1

    005669c6331f9a9d884628295b4a0fd440b7c9a9

  • SHA256

    ef25c5e1cca2a17290db110d708995e5572ab7c8c06049f3b7c133d2a3a56c8b

  • SHA512

    9b84f142063be4d4d4b7af14c5fbe36f63b9983e4fab7130b0c99daaae7e7d321728393d8416b98f4c05b531dc70d2df28d16cd3e703e961168b3aaa21909e7f

  • SSDEEP

    24576:pRmJkcoQricOIQxiZY1iaXCd0eJc6nqS9cw9HqG0WzROcsbVdex+:mJZoQrbTFZY1iaXCWeebyKvW/Qex+

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Password: )NYyffR0

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      z30OrderRFQ.exe

    • Size

      1.2MB

    • MD5

      dbd8d3c12d6fce47889e004ba21a8b88

    • SHA1

      005669c6331f9a9d884628295b4a0fd440b7c9a9

    • SHA256

      ef25c5e1cca2a17290db110d708995e5572ab7c8c06049f3b7c133d2a3a56c8b

    • SHA512

      9b84f142063be4d4d4b7af14c5fbe36f63b9983e4fab7130b0c99daaae7e7d321728393d8416b98f4c05b531dc70d2df28d16cd3e703e961168b3aaa21909e7f

    • SSDEEP

      24576:pRmJkcoQricOIQxiZY1iaXCd0eJc6nqS9cw9HqG0WzROcsbVdex+:mJZoQrbTFZY1iaXCWeebyKvW/Qex+

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks