General

  • Target

    SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe

  • Size

    691KB

  • Sample

    240925-w4azkazglq

  • MD5

    70262b2a7d84c44a127705652cdb57dc

  • SHA1

    7d23ab78513538d6367f3394cd7471cd68b93b00

  • SHA256

    eee5b91e98c90ca0bf35d7e47188214b55387da679bf2821de6446fef111971e

  • SHA512

    692637faafc817ccf4f066f2b88f68495a61153f34f286398cf9ebbcf6ea6a18a5fea68ba3a5f92e95b19c093eb3544631d480900cd9cf89f91aa996c3afffa7

  • SSDEEP

    12288:2ip8bQb55K+QnhbjFjG+I+qx9VAcb7aRp7/aYiFrDQE83aaag0PAw:kIyxhbj0+ID9VABR0YuQEilagJw

Malware Config

Extracted

Family

vipkeylogger

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.jhxkgroup.online
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    7213575aceACE@@

Targets

    • Target

      SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe

    • Size

      691KB

    • MD5

      70262b2a7d84c44a127705652cdb57dc

    • SHA1

      7d23ab78513538d6367f3394cd7471cd68b93b00

    • SHA256

      eee5b91e98c90ca0bf35d7e47188214b55387da679bf2821de6446fef111971e

    • SHA512

      692637faafc817ccf4f066f2b88f68495a61153f34f286398cf9ebbcf6ea6a18a5fea68ba3a5f92e95b19c093eb3544631d480900cd9cf89f91aa996c3afffa7

    • SSDEEP

      12288:2ip8bQb55K+QnhbjFjG+I+qx9VAcb7aRp7/aYiFrDQE83aaag0PAw:kIyxhbj0+ID9VABR0YuQEilagJw

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks