General

  • Target

    f2ed272709700a94e6698dc27cdf88ff88ea9e6ccb7f6ede38df075cc28e6549

  • Size

    690KB

  • Sample

    240930-vtbbxazhqf

  • MD5

    70b3076865eede530284e80f2f69c531

  • SHA1

    b8319104a8e47750f85fb7b6ff77c13a16e78ab4

  • SHA256

    f2ed272709700a94e6698dc27cdf88ff88ea9e6ccb7f6ede38df075cc28e6549

  • SHA512

    76cbfd1458b8be69ecd91de8280f24ef0adab68d3695f99163178fa3ec7d8a36973678990bb986b406120c519b51a95dd21a3fa985422714917dae309879e39b

  • SSDEEP

    12288:5PBRgw74SoqGW1GSKUlvlaA9R8HkVSA3bqMWfSNVCE:Zdv1i8v4A9tSMbdHN1

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      RFQ__PO_6353637355363-PDF.exe

    • Size

      800KB

    • MD5

      15d472c1aec8edf059bc8d2c0a25c4c5

    • SHA1

      d403535a112bcc6081db26483f7929b10ae159c4

    • SHA256

      dcd9ff1cf45590fc2015b32feca04815025d09917810d5277b0b2275d7493755

    • SHA512

      b8f5d2baf2532aedd42ff2c5d36e2701307a16f706147fcf3d17dbcfaefa554f24123f4e52d1cea318f71f00864953da5504df1f6d389e12bf5eda57fb881e80

    • SSDEEP

      12288:41ZF8KpTlJU74qoqmW1OS4UvvnZ61DjyiU/7g8JDwOJGVp7CH3TNAc:4yc7Erv1oQvZKDWT7g85wPvkAc

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks