General

  • Target

    727f9bc1791a4fad243171a8a2ccbfdf2a5ce2db86c41330abcbd3e378110f49

  • Size

    700KB

  • Sample

    240930-tzeqvavelr

  • MD5

    dfa190c01cc656da59c74b763eb17b51

  • SHA1

    761c411cab7634ffcc574b4570c31b610aa86289

  • SHA256

    727f9bc1791a4fad243171a8a2ccbfdf2a5ce2db86c41330abcbd3e378110f49

  • SHA512

    680aaf78e2e4036d37f39f291ca3796cdbae7d3a33b105bd365d8a97e63eb8816da8ede71077b0e71bd5bc5dd9f0a90b999d2a5a44ea716f0d901920d2e0d0dd

  • SSDEEP

    12288:y7Au23gwQxP1zDwznmYTyg9jRVWbTpoBx0mE7qQ19RNz/VZsuMMW:yku2hGP1zcnyg9CHpCI9TgV

Malware Config

Extracted

Family

vipkeylogger

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    foxwagon-equipment.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    SVBd8Gv^}!B1

Targets

    • Target

      RFQ.exe

    • Size

      817KB

    • MD5

      797fbf7b79618e7d5233dbcafbfc594a

    • SHA1

      3f21fc09f318cb84341a075ed9e04403c9654e48

    • SHA256

      9053503e04e6f82c193918911ad858c0583f7c0cff816e28f2c4c2be1684c718

    • SHA512

      bc031d7a35270949bb65b859c5240b9ef8b870a61ebb53ff39d6cb0a2ef067dee1ddf888f39d5d8aabbf73034c00a5e6c515d8d0bb77cea3c1aa2a7a922917de

    • SSDEEP

      12288:p1ZF8K3rx229IwQj71DDwzNGY5cJojvRWEHTpiBDUUE7gQ6bOlH3TZkR:pyAx22Py71DcLcyQEzp0NJ

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks