General

  • Target

    654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe

  • Size

    866KB

  • Sample

    240926-b5fafszdll

  • MD5

    433fda0ddceae6820f653ff3318e6278

  • SHA1

    6735afd7485703ea42db10b3154f1498cc39b1bd

  • SHA256

    654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53

  • SHA512

    e4df64709ea1030b6672f6eb5fac273e17c31fa8e767bf62a83ac84a4bde12f3f7549cdbd85c60f54579d986c7ce520c4aebe4c0ba141f1beeeaa6883c0a19bd

  • SSDEEP

    24576:Os4xlaVmok7zerjTiGoMOCUhdS2aNlwrjOlGgVi:Os4xlakTnefTijMg3UlwrKc

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53.exe

    • Size

      866KB

    • MD5

      433fda0ddceae6820f653ff3318e6278

    • SHA1

      6735afd7485703ea42db10b3154f1498cc39b1bd

    • SHA256

      654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53

    • SHA512

      e4df64709ea1030b6672f6eb5fac273e17c31fa8e767bf62a83ac84a4bde12f3f7549cdbd85c60f54579d986c7ce520c4aebe4c0ba141f1beeeaa6883c0a19bd

    • SSDEEP

      24576:Os4xlaVmok7zerjTiGoMOCUhdS2aNlwrjOlGgVi:Os4xlakTnefTijMg3UlwrKc

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks