General

  • Target

    500c7dd9a5251e454d29ee7ab696f2bcbd3540cbbb1a4529797e10e5426fd026

  • Size

    759KB

  • Sample

    240930-ty9jtsvelj

  • MD5

    b8434a29b02795d1f470f3c7c2790045

  • SHA1

    d71234cc2c04a6ec9b1c51d0fc2de7a215b6de9a

  • SHA256

    500c7dd9a5251e454d29ee7ab696f2bcbd3540cbbb1a4529797e10e5426fd026

  • SHA512

    96bbfcd878f7a855a76e6f1b7b5d0329357fa020d53f3084eb62f95fed5dc7e10c268e03490cd7f684b48b03289695948186bd19ca878cb7edb004a70f613f7f

  • SSDEEP

    12288:2AlFgDbtF+U+OsgjUDiU7ESQC6yYaiSzSzYO6fRtpe0wkZuK6po32/q3G4JZOptn:xwVkRtQC6yY+7R1Zg2G/q3TqlJ

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.terrazza.hr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Vodenjak123!

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      Premium_Settlement_for_Oustanding_Dues_Settlement_pdf.exe

    • Size

      786KB

    • MD5

      085a88b82b13a3471ed6130311a9e6e0

    • SHA1

      03f8cd4a4d6f489c69c90dddf0fb38e21f7508ec

    • SHA256

      e63da6759a84f90f8e0f9c87eb519f053b125378c9617170b37c5ab92a856036

    • SHA512

      5eee8c64d5a42febf089bb68ed4eb687941df3cb61165de60427c2be9e20281aee1d4a9c33c96006af2f458b1dd8ab23e3a7bade47e093f98b7e67d38c97f1f7

    • SSDEEP

      12288:iCVTcsOSgBDm70a7sSgC6yyagSzSzYO6rPtze0Uk7umqpo32nm3G4JxoZtW5:lVTcsrgw7vgC6yyKVPX7W2Gnm3Tw25

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Accesses Microsoft Outlook profiles

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks