General

  • Target

    Settlement_Payment_Advise_pdf.exe

  • Size

    815KB

  • Sample

    241002-qq7tgsybnq

  • MD5

    f301fd124e4a1e98a0940a6897174c9d

  • SHA1

    b7524db5c28cf5174272ed230c620c6b1120b04d

  • SHA256

    d7b641d0151a05ea88a81ce63ba1f8dec700c584203b3978daa4e143af7bfac4

  • SHA512

    8228ed551aa5d9f86c417cdbd19c1a3facb2bd545367c1db5b07b7048acdba6ed8b664ea70f7686e127a457f1c66ff7f188a2f0c1ae45e45e1033d6c9da03566

  • SSDEEP

    24576:PVTcsrgw74/EeWZAULhyeT7W2Gnm3Tw2a:PVcOgDslBVS2Gnm3THa

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      Settlement_Payment_Advise_pdf.exe

    • Size

      815KB

    • MD5

      f301fd124e4a1e98a0940a6897174c9d

    • SHA1

      b7524db5c28cf5174272ed230c620c6b1120b04d

    • SHA256

      d7b641d0151a05ea88a81ce63ba1f8dec700c584203b3978daa4e143af7bfac4

    • SHA512

      8228ed551aa5d9f86c417cdbd19c1a3facb2bd545367c1db5b07b7048acdba6ed8b664ea70f7686e127a457f1c66ff7f188a2f0c1ae45e45e1033d6c9da03566

    • SSDEEP

      24576:PVTcsrgw74/EeWZAULhyeT7W2Gnm3Tw2a:PVcOgDslBVS2Gnm3THa

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Accesses Microsoft Outlook profiles

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks