General

  • Target

    18a2d62cc5a151ec2c53c054572a0c762f4f7d6ed600526823a474498942a770.exe

  • Size

    890KB

  • Sample

    240926-bjq5tsybjp

  • MD5

    c53b67af325066b418d5acf3e67e93eb

  • SHA1

    8a5b6e006d5a2dc6d18bc679852d4c2e22e6ed9b

  • SHA256

    18a2d62cc5a151ec2c53c054572a0c762f4f7d6ed600526823a474498942a770

  • SHA512

    313b9c55711850a470f8be90aa0493adc66ab3213df795e27212e9b31c46f3910eff7ee002602e9f58e9c7dc64e0eab2fba4b6d68f31fa0f8c8636c071a1e3a3

  • SSDEEP

    24576:jcdjNn2aRLG6sBjelRZyN8Mv3ia52cXQz1Ft:0N2GLG5xelRZyGMvn2QQz1Ft

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      18a2d62cc5a151ec2c53c054572a0c762f4f7d6ed600526823a474498942a770.exe

    • Size

      890KB

    • MD5

      c53b67af325066b418d5acf3e67e93eb

    • SHA1

      8a5b6e006d5a2dc6d18bc679852d4c2e22e6ed9b

    • SHA256

      18a2d62cc5a151ec2c53c054572a0c762f4f7d6ed600526823a474498942a770

    • SHA512

      313b9c55711850a470f8be90aa0493adc66ab3213df795e27212e9b31c46f3910eff7ee002602e9f58e9c7dc64e0eab2fba4b6d68f31fa0f8c8636c071a1e3a3

    • SSDEEP

      24576:jcdjNn2aRLG6sBjelRZyN8Mv3ia52cXQz1Ft:0N2GLG5xelRZyGMvn2QQz1Ft

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks