General

  • Target

    61c9668a897fa26c61a84cbb0c380b4f25ce694398d0db5da624188db83e9f72

  • Size

    694KB

  • Sample

    240930-k43h2a1frb

  • MD5

    43f5598c27b33b6442020a9037fac165

  • SHA1

    28b46f67fa3a77be4784c3870e59e0ca44873562

  • SHA256

    61c9668a897fa26c61a84cbb0c380b4f25ce694398d0db5da624188db83e9f72

  • SHA512

    dff4bbaab6f7b3958b405d1931d694572af7e769733a4c16dd479e96840416c1621cff6c69e05914d4dbf740bb91acccd9b42f4193b2e9619728a9fbadd00097

  • SSDEEP

    12288:/I3bJo3gCPeA/7/GoQS5AzUT3k0LFICr3d6n6Zo9pIvp/IT5X3YZT5Ay:U9o3gI7kyAsqCk6Z2+R/I3OT+y

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      Contract.exe

    • Size

      804KB

    • MD5

      4cf3e3ad3bbfaf2b2950f501466fefb7

    • SHA1

      32a330bd302d266d201621afa6b624a8e3aa6e04

    • SHA256

      953b66b361820b31e028c6eae7f14a8b57ca6dd231baae5045abbaf7455ab6f3

    • SHA512

      3d1c203c4a4b152dd93a975758cc49821ff7106cef3d26a3f766ac4e36011cc4078cb28f706591b01142282092cea966f38ed46dd8432f5d3035e4a812cf0dd0

    • SSDEEP

      12288:71ZF8K83T5BC9eA/7/GoC40zUi9d3hSvn6Q/tOz2L3pIzp/+TZwFIFIuh:7yZk7e40BdMf6eT+F/0Iuh

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks