General
-
Target
556ba0ef7ba5cd5d838485872af02b606516b6ba1e45b1d5caa649baf6371e06N
-
Size
865KB
-
Sample
240928-v6c19sxfrp
-
MD5
1553867221f1a21959636701dda02830
-
SHA1
c369ab457651d7465ccfefb67df1d730ba6913e8
-
SHA256
556ba0ef7ba5cd5d838485872af02b606516b6ba1e45b1d5caa649baf6371e06
-
SHA512
93056c306aef3566d46590aafb0aaf200366dbe0a999e0c6d0ff6dd42a83bd5b7a06b58d342430d799c71a11d8d512e441ba7ad0fb08f86b931256d3adca7366
-
SSDEEP
24576:R6MxlakyqdWK9QEu4CLlaXxFBJbRj8+Y5OkrGgVq:R6MxlakvdWEQECYxX9RwTO9
Static task
static1
Behavioral task
behavioral1
Sample
556ba0ef7ba5cd5d838485872af02b606516b6ba1e45b1d5caa649baf6371e06N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
556ba0ef7ba5cd5d838485872af02b606516b6ba1e45b1d5caa649baf6371e06N.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.ionos.fr - Port:
587 - Username:
[email protected] - Password:
HSBcargo_22
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.fr - Port:
587 - Username:
[email protected] - Password:
HSBcargo_22 - Email To:
[email protected]
Targets
-
-
Target
556ba0ef7ba5cd5d838485872af02b606516b6ba1e45b1d5caa649baf6371e06N
-
Size
865KB
-
MD5
1553867221f1a21959636701dda02830
-
SHA1
c369ab457651d7465ccfefb67df1d730ba6913e8
-
SHA256
556ba0ef7ba5cd5d838485872af02b606516b6ba1e45b1d5caa649baf6371e06
-
SHA512
93056c306aef3566d46590aafb0aaf200366dbe0a999e0c6d0ff6dd42a83bd5b7a06b58d342430d799c71a11d8d512e441ba7ad0fb08f86b931256d3adca7366
-
SSDEEP
24576:R6MxlakyqdWK9QEu4CLlaXxFBJbRj8+Y5OkrGgVq:R6MxlakvdWEQECYxX9RwTO9
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2