General

  • Target

    bb1734dc35fce4b73d1edb980b97459a3b97ca18.rar.tar.gz

  • Size

    71KB

  • Sample

    241001-c4yabawgmr

  • MD5

    77f338ee49015065dbcbefee689ef456

  • SHA1

    30862fc91fe894dd9dfcc44674cd720fb469fc22

  • SHA256

    eddc1f1f36222555d38e95d9d3edf56bbe417fce33ec4c84135a586f7a7304d1

  • SHA512

    126ace2e05581be3a4fb47c5f4a8934f81fb98af506485e11ce101046eeda08dfec1886e7b74c923631cfecd7947cd022260a3a6bedaa19fb13ccfbe85989321

  • SSDEEP

    1536:qa/ASLzRvHzMsEIqEIqT4m9OXjfsPRKtDDe/hN+xrzLfQ8LHi:D/DHov89SjfAR6DSpN+lo8+

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7371892501:AAE6c_q-yLsVj82ZZEmMuRlQtTm95MBjCz0/sendMessage?chat_id=6750192797

Targets

    • Target

      RFQ-00032035.PDF.scr

    • Size

      186KB

    • MD5

      4c7c55280d405f6241f4c9f236fdea24

    • SHA1

      dfd1a0dce53f0a445ec6ad9f6d1266e96dec8f66

    • SHA256

      013d183433171067d14d79fb2288fa94689963e60482da638800f23834710e19

    • SHA512

      6cabc92097834307fb02f5687a19db6a93fe88f0c53cada037fe2f0eafb247ea7be249b460f53808a875c8febcf3460df235f8f4268370da92a11fb528dd0a10

    • SSDEEP

      3072:qh1KoemdZEhelYiU8aTTwmDOop3Q+Rt5IxMSke+mNOGW3emb4XBHTtOhu2qkWf3M:Doemd3lYiU5MmDOop3Q+RsxMSke+mNOW

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Accesses Microsoft Outlook profiles

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks