General

  • Target

    556ba0ef7ba5cd5d838485872af02b606516b6ba1e45b1d5caa649baf6371e06N

  • Size

    865KB

  • Sample

    240928-v6c19sxfrp

  • MD5

    1553867221f1a21959636701dda02830

  • SHA1

    c369ab457651d7465ccfefb67df1d730ba6913e8

  • SHA256

    556ba0ef7ba5cd5d838485872af02b606516b6ba1e45b1d5caa649baf6371e06

  • SHA512

    93056c306aef3566d46590aafb0aaf200366dbe0a999e0c6d0ff6dd42a83bd5b7a06b58d342430d799c71a11d8d512e441ba7ad0fb08f86b931256d3adca7366

  • SSDEEP

    24576:R6MxlakyqdWK9QEu4CLlaXxFBJbRj8+Y5OkrGgVq:R6MxlakvdWEQECYxX9RwTO9

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.ionos.fr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    HSBcargo_22

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      556ba0ef7ba5cd5d838485872af02b606516b6ba1e45b1d5caa649baf6371e06N

    • Size

      865KB

    • MD5

      1553867221f1a21959636701dda02830

    • SHA1

      c369ab457651d7465ccfefb67df1d730ba6913e8

    • SHA256

      556ba0ef7ba5cd5d838485872af02b606516b6ba1e45b1d5caa649baf6371e06

    • SHA512

      93056c306aef3566d46590aafb0aaf200366dbe0a999e0c6d0ff6dd42a83bd5b7a06b58d342430d799c71a11d8d512e441ba7ad0fb08f86b931256d3adca7366

    • SSDEEP

      24576:R6MxlakyqdWK9QEu4CLlaXxFBJbRj8+Y5OkrGgVq:R6MxlakvdWEQECYxX9RwTO9

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks