General

  • Target

    ee1c8636e4267a32b001c2833194094176cfab5aedebffd6b70c77bc23e20dc5

  • Size

    705KB

  • Sample

    240930-xbrx2szdjp

  • MD5

    bb422d6cbf9c225aea88be12c4feac3c

  • SHA1

    cdb7f74f12a6e22daa7333a0072d35ccf4772cee

  • SHA256

    ee1c8636e4267a32b001c2833194094176cfab5aedebffd6b70c77bc23e20dc5

  • SHA512

    f523222efe20a7de478f3e6339642b10880afaf842c49dbcd3118d103be4e2afd2bb6f29e2f6ae80f52fff400a0b5ae15da203701c3a77468ce597c410cebd35

  • SSDEEP

    12288:WDTR0BATYluunhtlT8EUfbeoKlVOcyhlY458zveogk4NEcFVUkZL:FmTYl3nBT8/fb+lVOjhlY458bLgkREd

Malware Config

Extracted

Family

vipkeylogger

Credentials
C2

https://api.telegram.org/bot8144643983:AAG0azbpc0gN0CUUOjIv835SRU8dPhGM6_c/sendMessage?chat_id=6595599138

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    foxwagon-equipment.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    y*q.Xw3gh1G^

Targets

    • Target

      invoice.exe

    • Size

      776KB

    • MD5

      440bd4d91f9ee44980e2d8b56d492076

    • SHA1

      1988249976cfb0bca93059d388a365ddd2f33132

    • SHA256

      77bd3a8a98e2b6e321cbf9cb27f460b89de4f6dc2a45e4a0ca2a9eae42830fe4

    • SHA512

      457268f8baed34bf9c050b4a6443b4f40177e95e1abb0ff7e23872ef98cc163036480cf6a882fac71de8d7ae5586d64c43b9b155265a7eba02815744dd4f5be6

    • SSDEEP

      24576:Iy5zeTyb5n1ToRfbq9/qRhHYUt8PdgYDEwj:9zS4ToRDIq78PdgYD7

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks