General
-
Target
ee1c8636e4267a32b001c2833194094176cfab5aedebffd6b70c77bc23e20dc5
-
Size
705KB
-
Sample
240930-tmev3stgmr
-
MD5
bb422d6cbf9c225aea88be12c4feac3c
-
SHA1
cdb7f74f12a6e22daa7333a0072d35ccf4772cee
-
SHA256
ee1c8636e4267a32b001c2833194094176cfab5aedebffd6b70c77bc23e20dc5
-
SHA512
f523222efe20a7de478f3e6339642b10880afaf842c49dbcd3118d103be4e2afd2bb6f29e2f6ae80f52fff400a0b5ae15da203701c3a77468ce597c410cebd35
-
SSDEEP
12288:WDTR0BATYluunhtlT8EUfbeoKlVOcyhlY458zveogk4NEcFVUkZL:FmTYl3nBT8/fb+lVOjhlY458bLgkREd
Static task
static1
Behavioral task
behavioral1
Sample
invoice.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
invoice.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
foxwagon-equipment.com - Port:
587 - Username:
[email protected] - Password:
y*q.Xw3gh1G^ - Email To:
[email protected]
https://api.telegram.org/bot8144643983:AAG0azbpc0gN0CUUOjIv835SRU8dPhGM6_c/sendMessage?chat_id=6595599138
Extracted
Protocol: smtp- Host:
foxwagon-equipment.com - Port:
587 - Username:
[email protected] - Password:
y*q.Xw3gh1G^
Targets
-
-
Target
invoice.exe
-
Size
776KB
-
MD5
440bd4d91f9ee44980e2d8b56d492076
-
SHA1
1988249976cfb0bca93059d388a365ddd2f33132
-
SHA256
77bd3a8a98e2b6e321cbf9cb27f460b89de4f6dc2a45e4a0ca2a9eae42830fe4
-
SHA512
457268f8baed34bf9c050b4a6443b4f40177e95e1abb0ff7e23872ef98cc163036480cf6a882fac71de8d7ae5586d64c43b9b155265a7eba02815744dd4f5be6
-
SSDEEP
24576:Iy5zeTyb5n1ToRfbq9/qRhHYUt8PdgYDEwj:9zS4ToRDIq78PdgYD7
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2