General

  • Target

    SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe

  • Size

    1.2MB

  • Sample

    240925-txh1gsybrf

  • MD5

    bfc2f15c9fbb61f2f666642b13128192

  • SHA1

    f201a42946422e7efd6d878ba2f4c5d8c4acee31

  • SHA256

    ffac4f21d52da5b3179d991d975be683789f0c450b8fc1712ff5dbafb0cc72c4

  • SHA512

    2fac6e6d185b1b653119f35a8a6490e065d3a4d73d310c0b12b9d8223e39f8c119035e105420130231044f6b83c68252cca1ac2c5c415631b76996601ed6e37e

  • SSDEEP

    24576:pRmJkcoQricOIQxiZY1iaJOfhm+R6BIQczyvq6LC/LQ4yZG6T7frw/5:mJZoQrbTFZY1iaJZtKQccq6LeU3rc5

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Password: D4v_8+edvC?l. .

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe

    • Size

      1.2MB

    • MD5

      bfc2f15c9fbb61f2f666642b13128192

    • SHA1

      f201a42946422e7efd6d878ba2f4c5d8c4acee31

    • SHA256

      ffac4f21d52da5b3179d991d975be683789f0c450b8fc1712ff5dbafb0cc72c4

    • SHA512

      2fac6e6d185b1b653119f35a8a6490e065d3a4d73d310c0b12b9d8223e39f8c119035e105420130231044f6b83c68252cca1ac2c5c415631b76996601ed6e37e

    • SSDEEP

      24576:pRmJkcoQricOIQxiZY1iaJOfhm+R6BIQczyvq6LC/LQ4yZG6T7frw/5:mJZoQrbTFZY1iaJZtKQccq6LeU3rc5

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks