General

  • Target

    30092024_2300_30092024_3140, EUR.bz

  • Size

    700KB

  • Sample

    240930-2y8ljatbmc

  • MD5

    a2f934b136caad093f68e47df468dc8b

  • SHA1

    5046abc1e0f4baafa5ca68f3aefe2bac95e8b7b8

  • SHA256

    2e0dba87aadbf40645c7b7cf8a4bf3d314c916e64ac032913d7cc979939158f4

  • SHA512

    7e5a4f191353845af273c32ab8ed771d891410b634d8019456876ec5f4de9bb5bd979f82249a50d8eee16fa0dabcb5fea43fdecb5b78a86a78d84f027a10e2dd

  • SSDEEP

    12288:DwIrwfV7JJeWmFU00sm1Snc5LbZ8bkLu/7/V4sl15aIKh5ZYjigEUdtXSGM6:0IcV72w00sESC8bMu/zSana7yjpdcG

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    quicklyserv.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    omobolajijonze12345

Extracted

Family

vipkeylogger

Targets

    • Target

      3140, EUR.exe

    • Size

      796KB

    • MD5

      332593ae1e0ba5a06370963c37bbbceb

    • SHA1

      994f8e733ba1961882dcdef0c78fc305db4c1c91

    • SHA256

      9ca5a71321522f47140b36e5f1983cff7455dd124caa231d97df29cd654c6893

    • SHA512

      111b6d04597e4f00d8d30cb3e1c8514b92fc1ad936db7553a6f9f00146e0511bedb4d0fcd2cb011959063ffa6eac88a8287724ade1e67a1aa77122390c7e48c0

    • SSDEEP

      12288:UUxLU3TBHWn/JDfaWEtYWWcw/1/4sln7aIK5nRYji9avo0Dx/v7UcM:UUxCHwDiWEepcw/ia7aV6jMG/HYcM

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks