General

  • Target

    a947fb714131dc2a3ebdbab989f241713e51d629e00b292b5e6111e8c1506ae3.exe

  • Size

    940KB

  • Sample

    240926-cnw3bavapb

  • MD5

    d0ea74bc92edf6c15ec891218fa6ec82

  • SHA1

    9e16672d91e4eceb3ceb6c4592baba252ee56edf

  • SHA256

    a947fb714131dc2a3ebdbab989f241713e51d629e00b292b5e6111e8c1506ae3

  • SHA512

    d3e025fe052104b88970e3efbc7dd174bd0d0965b977f3f1a4274f7302a000b54c4f41824963ef2f393bcf30f0e0760e1f822cb02ffb7956f26a08a430b58d94

  • SSDEEP

    12288:83FQovvvDg6BCQC+5MnwNJhW3EFPwUpkFhCNQB4UOWTFqeUOlv/y/FUsjtzVbiSg:8GGvvM6RCwNNyEFPNOZOWTF32Usjj6

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      a947fb714131dc2a3ebdbab989f241713e51d629e00b292b5e6111e8c1506ae3.exe

    • Size

      940KB

    • MD5

      d0ea74bc92edf6c15ec891218fa6ec82

    • SHA1

      9e16672d91e4eceb3ceb6c4592baba252ee56edf

    • SHA256

      a947fb714131dc2a3ebdbab989f241713e51d629e00b292b5e6111e8c1506ae3

    • SHA512

      d3e025fe052104b88970e3efbc7dd174bd0d0965b977f3f1a4274f7302a000b54c4f41824963ef2f393bcf30f0e0760e1f822cb02ffb7956f26a08a430b58d94

    • SSDEEP

      12288:83FQovvvDg6BCQC+5MnwNJhW3EFPwUpkFhCNQB4UOWTFqeUOlv/y/FUsjtzVbiSg:8GGvvM6RCwNNyEFPNOZOWTF32Usjj6

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks