General

  • Target

    01. GLOBAL ORIOLE.pdf.exe

  • Size

    1.2MB

  • Sample

    240925-x37sksweqc

  • MD5

    619ee4eec9d7d2ffb4d779d98543fc7a

  • SHA1

    03c441a6bcaaf5e1b24b1ab46753b1e9141f2750

  • SHA256

    8308fec5f677fc6493f751e441d55481223b1bd2e759e0fce9f85b90429920c6

  • SHA512

    ba896872d9b633a0a1cf5daf558426712fc0a703b5d6997ec9192dd30f56fde053a9308818130def05e7db201f1ae9516896ac7f918ce413a7f9815c7f5a7c96

  • SSDEEP

    24576:uRmJkcoQricOIQxiZY1iaClyDVRs+QIPjcSCJGBOeNFO:7JZoQrbTFZY1iaCUP77cU5k

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.r011.com.br
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    akP?=r0&YaA)

Extracted

Family

vipkeylogger

Targets

    • Target

      01. GLOBAL ORIOLE.pdf.exe

    • Size

      1.2MB

    • MD5

      619ee4eec9d7d2ffb4d779d98543fc7a

    • SHA1

      03c441a6bcaaf5e1b24b1ab46753b1e9141f2750

    • SHA256

      8308fec5f677fc6493f751e441d55481223b1bd2e759e0fce9f85b90429920c6

    • SHA512

      ba896872d9b633a0a1cf5daf558426712fc0a703b5d6997ec9192dd30f56fde053a9308818130def05e7db201f1ae9516896ac7f918ce413a7f9815c7f5a7c96

    • SSDEEP

      24576:uRmJkcoQricOIQxiZY1iaClyDVRs+QIPjcSCJGBOeNFO:7JZoQrbTFZY1iaCUP77cU5k

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks