General

  • Target

    Purchase Order.zip

  • Size

    638KB

  • Sample

    240926-cktg1stgrg

  • MD5

    32134a842d4a6ec0655f7429d3e6fba8

  • SHA1

    2285b163ddc4027888c3486df395edd77a7c9385

  • SHA256

    879d61ba850b8f237d7f5c0777fbca02d14e834b308a2ba5271203da5cde10d3

  • SHA512

    dd789fbff480b591f8fb8ff8d5a9270e2ad361678be27bf3003da8a21be7a084da0a4bd373ba144001b89e5abe426b1c9fd6e055763d3c09b9fc94f1696b4a28

  • SSDEEP

    12288:wBjtPTAXVDsRoI7UpEkW3/nV+b3S2bjtvw5biXtUreKVM1lh3Tp8frfzch2:wnrAuRoI7UpEFnV87tvwhimKKqsch2

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    qimnnEB2

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      Purchase Order.exe

    • Size

      688KB

    • MD5

      7e9d6de8d9f5637d68911dc73d84c8db

    • SHA1

      a0f2849fa522e4b4053e4ab217d9b7308f03bff4

    • SHA256

      368da0cb9f1aff3202fcb9820e8588c2fe005776885039cd61a4fd6dc48669d9

    • SHA512

      e2b8639c5e741c0b2b8a15376f530e72da3c00d68fdb7e11e36b827d85d559c420c6575171ec78c3e91828d3881cf3f547ec70af12e9d06c6d66a1f9c26f1c24

    • SSDEEP

      12288:CPUJY9zTAtVDsdoC7UpwkW5/nD+4AZs70WMK2lWxiyCChqPbk8bQbkx:EvAwdoC7UpwbnDmLWMK2lWYyROIi

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks