General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe
-
Size
691KB
-
Sample
240925-w4azkazglq
-
MD5
70262b2a7d84c44a127705652cdb57dc
-
SHA1
7d23ab78513538d6367f3394cd7471cd68b93b00
-
SHA256
eee5b91e98c90ca0bf35d7e47188214b55387da679bf2821de6446fef111971e
-
SHA512
692637faafc817ccf4f066f2b88f68495a61153f34f286398cf9ebbcf6ea6a18a5fea68ba3a5f92e95b19c093eb3544631d480900cd9cf89f91aa996c3afffa7
-
SSDEEP
12288:2ip8bQb55K+QnhbjFjG+I+qx9VAcb7aRp7/aYiFrDQE83aaag0PAw:kIyxhbj0+ID9VABR0YuQEilagJw
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.jhxkgroup.online - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@ - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.jhxkgroup.online - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@
Targets
-
-
Target
SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe
-
Size
691KB
-
MD5
70262b2a7d84c44a127705652cdb57dc
-
SHA1
7d23ab78513538d6367f3394cd7471cd68b93b00
-
SHA256
eee5b91e98c90ca0bf35d7e47188214b55387da679bf2821de6446fef111971e
-
SHA512
692637faafc817ccf4f066f2b88f68495a61153f34f286398cf9ebbcf6ea6a18a5fea68ba3a5f92e95b19c093eb3544631d480900cd9cf89f91aa996c3afffa7
-
SSDEEP
12288:2ip8bQb55K+QnhbjFjG+I+qx9VAcb7aRp7/aYiFrDQE83aaag0PAw:kIyxhbj0+ID9VABR0YuQEilagJw
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2