General
-
Target
727f9bc1791a4fad243171a8a2ccbfdf2a5ce2db86c41330abcbd3e378110f49
-
Size
700KB
-
Sample
240930-m9p61asakq
-
MD5
dfa190c01cc656da59c74b763eb17b51
-
SHA1
761c411cab7634ffcc574b4570c31b610aa86289
-
SHA256
727f9bc1791a4fad243171a8a2ccbfdf2a5ce2db86c41330abcbd3e378110f49
-
SHA512
680aaf78e2e4036d37f39f291ca3796cdbae7d3a33b105bd365d8a97e63eb8816da8ede71077b0e71bd5bc5dd9f0a90b999d2a5a44ea716f0d901920d2e0d0dd
-
SSDEEP
12288:y7Au23gwQxP1zDwznmYTyg9jRVWbTpoBx0mE7qQ19RNz/VZsuMMW:yku2hGP1zcnyg9CHpCI9TgV
Static task
static1
Behavioral task
behavioral1
Sample
RFQ.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
RFQ.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
foxwagon-equipment.com - Port:
587 - Username:
[email protected] - Password:
SVBd8Gv^}!B1 - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
foxwagon-equipment.com - Port:
587 - Username:
[email protected] - Password:
SVBd8Gv^}!B1
Targets
-
-
Target
RFQ.exe
-
Size
817KB
-
MD5
797fbf7b79618e7d5233dbcafbfc594a
-
SHA1
3f21fc09f318cb84341a075ed9e04403c9654e48
-
SHA256
9053503e04e6f82c193918911ad858c0583f7c0cff816e28f2c4c2be1684c718
-
SHA512
bc031d7a35270949bb65b859c5240b9ef8b870a61ebb53ff39d6cb0a2ef067dee1ddf888f39d5d8aabbf73034c00a5e6c515d8d0bb77cea3c1aa2a7a922917de
-
SSDEEP
12288:p1ZF8K3rx229IwQj71DDwzNGY5cJojvRWEHTpiBDUUE7gQ6bOlH3TZkR:pyAx22Py71DcLcyQEzp0NJ
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2