General

  • Target

    58ADE05412907F657812BDA267C43288EA79418091.doc

  • Size

    635KB

  • Sample

    240928-g3rtcs1dkk

  • MD5

    35b33d95586ea91ff6b072869623fc8d

  • SHA1

    818f18b61e61aebe3fbe2a5f15fd486137ce715a

  • SHA256

    bcade8f76366bc86315e2775770083a82a5f1ca9344d03be5ef52616dcceaea8

  • SHA512

    e2dbaf671cff18b103a64094a9585ee3f22503e70acb2e82e192b81ef1d83e3d17d7d3c0c5ab6dafb023d5ee2a6164baa0a853942ef8e05550ded9a6c8bd1287

  • SSDEEP

    6144:ZwAYwAa+ndouOcVxwttnqbqmnXER5zWAk2Fd:ey

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      58ADE05412907F657812BDA267C43288EA79418091.doc

    • Size

      635KB

    • MD5

      35b33d95586ea91ff6b072869623fc8d

    • SHA1

      818f18b61e61aebe3fbe2a5f15fd486137ce715a

    • SHA256

      bcade8f76366bc86315e2775770083a82a5f1ca9344d03be5ef52616dcceaea8

    • SHA512

      e2dbaf671cff18b103a64094a9585ee3f22503e70acb2e82e192b81ef1d83e3d17d7d3c0c5ab6dafb023d5ee2a6164baa0a853942ef8e05550ded9a6c8bd1287

    • SSDEEP

      6144:ZwAYwAa+ndouOcVxwttnqbqmnXER5zWAk2Fd:ey

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks