General
-
Target
Purchase Order.zip
-
Size
638KB
-
Sample
240926-cktg1stgrg
-
MD5
32134a842d4a6ec0655f7429d3e6fba8
-
SHA1
2285b163ddc4027888c3486df395edd77a7c9385
-
SHA256
879d61ba850b8f237d7f5c0777fbca02d14e834b308a2ba5271203da5cde10d3
-
SHA512
dd789fbff480b591f8fb8ff8d5a9270e2ad361678be27bf3003da8a21be7a084da0a4bd373ba144001b89e5abe426b1c9fd6e055763d3c09b9fc94f1696b4a28
-
SSDEEP
12288:wBjtPTAXVDsRoI7UpEkW3/nV+b3S2bjtvw5biXtUreKVM1lh3Tp8frfzch2:wnrAuRoI7UpEFnV87tvwhimKKqsch2
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Purchase Order.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
qimnnEB2
Extracted
vipkeylogger
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
qimnnEB2 - Email To:
[email protected]
Targets
-
-
Target
Purchase Order.exe
-
Size
688KB
-
MD5
7e9d6de8d9f5637d68911dc73d84c8db
-
SHA1
a0f2849fa522e4b4053e4ab217d9b7308f03bff4
-
SHA256
368da0cb9f1aff3202fcb9820e8588c2fe005776885039cd61a4fd6dc48669d9
-
SHA512
e2b8639c5e741c0b2b8a15376f530e72da3c00d68fdb7e11e36b827d85d559c420c6575171ec78c3e91828d3881cf3f547ec70af12e9d06c6d66a1f9c26f1c24
-
SSDEEP
12288:CPUJY9zTAtVDsdoC7UpwkW5/nD+4AZs70WMK2lWxiyCChqPbk8bQbkx:EvAwdoC7UpwbnDmLWMK2lWYyROIi
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-