General

  • Target

    d867fd2075a1752a30763ec2f6d702a933bdf611443003fa76042b32536993f9

  • Size

    697KB

  • Sample

    240930-xadn2atdnc

  • MD5

    9cd13440733acc1564cff68b6c977147

  • SHA1

    6341cd8fe7a3890b136a3a737204e0d8160a65a7

  • SHA256

    d867fd2075a1752a30763ec2f6d702a933bdf611443003fa76042b32536993f9

  • SHA512

    63e6ddd0214b3a4bbc8dfaaaac3a8e5f63d05fcf9b749330f3cde1a78415bb82d962a948bf4dea63a8f01544aff1d325b2835f70db4a95ee93c9936a6595731b

  • SSDEEP

    12288:3VA1b9+RZQut1hHaUZeycuf73v/y4FXC39wRABVl9TNue37xg65AkmQe7ZscEGHP:Fwb9MvtbHaUPVTAtsABVlhNJ3NvZe7ZF

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      RFQ__PO_6353637355363-PDF____PDF.exe

    • Size

      760KB

    • MD5

      08c264a28c86322bb0692192c469aa26

    • SHA1

      f31f71a34c36f1a5369bd8dcb55381c19c6a3f01

    • SHA256

      d408c8cb491bb3c567a3a68932e0253ad246f130013892b6009fa0d656fd7076

    • SHA512

      10b5b1745794d386fdb16814807ae256fee17e51889b8935314bad678d7120301674e8719e0ca0ca561d4f0fc8387847e28973630cd18885dc4449190f7d3b85

    • SSDEEP

      12288:1y9z+RFQutnhfaCZescuF7Tv/E4xXC39UREfVlrTNuy37xY65QkmQE7Zsc:A9zavthfaC/VXstAEfVlPNb3NXpE7Zs

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks