General
-
Target
61c9668a897fa26c61a84cbb0c380b4f25ce694398d0db5da624188db83e9f72
-
Size
694KB
-
Sample
240930-k43h2a1frb
-
MD5
43f5598c27b33b6442020a9037fac165
-
SHA1
28b46f67fa3a77be4784c3870e59e0ca44873562
-
SHA256
61c9668a897fa26c61a84cbb0c380b4f25ce694398d0db5da624188db83e9f72
-
SHA512
dff4bbaab6f7b3958b405d1931d694572af7e769733a4c16dd479e96840416c1621cff6c69e05914d4dbf740bb91acccd9b42f4193b2e9619728a9fbadd00097
-
SSDEEP
12288:/I3bJo3gCPeA/7/GoQS5AzUT3k0LFICr3d6n6Zo9pIvp/IT5X3YZT5Ay:U9o3gI7kyAsqCk6Z2+R/I3OT+y
Static task
static1
Behavioral task
behavioral1
Sample
Contract.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Contract.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.precioustouchfoundation.org - Port:
587 - Username:
[email protected] - Password:
Pr3c!0Us2007 - Email To:
[email protected]
Targets
-
-
Target
Contract.exe
-
Size
804KB
-
MD5
4cf3e3ad3bbfaf2b2950f501466fefb7
-
SHA1
32a330bd302d266d201621afa6b624a8e3aa6e04
-
SHA256
953b66b361820b31e028c6eae7f14a8b57ca6dd231baae5045abbaf7455ab6f3
-
SHA512
3d1c203c4a4b152dd93a975758cc49821ff7106cef3d26a3f766ac4e36011cc4078cb28f706591b01142282092cea966f38ed46dd8432f5d3035e4a812cf0dd0
-
SSDEEP
12288:71ZF8K83T5BC9eA/7/GoC40zUi9d3hSvn6Q/tOz2L3pIzp/+TZwFIFIuh:7yZk7e40BdMf6eT+F/0Iuh
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2