General

  • Target

    inquiry.exe

  • Size

    1.3MB

  • Sample

    240925-t38s4ayepc

  • MD5

    e645b187588a20e886416884000446db

  • SHA1

    1197c4cb571201164af8e2f98f787be189c9aa63

  • SHA256

    32bb184d40c1cd31619acef73c72cff265023617438eedc0890da62b50f6ff98

  • SHA512

    7fcd283afbf2cc2d505b80decc18ad9fe1cdeef2fbd8edd223c957a7ada6e76090ee4743023f84c50453b858b565bd28ba739f6c440bd56c57c316fd0b0e26b4

  • SSDEEP

    24576:ZOSVcy0SVP2ABoxNwmV3p3PWTkhPV6UNqXCosA:ISumstwsYplsA

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.fastestpay.digital
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    1Qj;XlmD!Lrj

Extracted

Family

vipkeylogger

Targets

    • Target

      inquiry.exe

    • Size

      1.3MB

    • MD5

      e645b187588a20e886416884000446db

    • SHA1

      1197c4cb571201164af8e2f98f787be189c9aa63

    • SHA256

      32bb184d40c1cd31619acef73c72cff265023617438eedc0890da62b50f6ff98

    • SHA512

      7fcd283afbf2cc2d505b80decc18ad9fe1cdeef2fbd8edd223c957a7ada6e76090ee4743023f84c50453b858b565bd28ba739f6c440bd56c57c316fd0b0e26b4

    • SSDEEP

      24576:ZOSVcy0SVP2ABoxNwmV3p3PWTkhPV6UNqXCosA:ISumstwsYplsA

    • UAC bypass

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Windows security bypass

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Accesses Microsoft Outlook profiles

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks