General

  • Target

    e1a37c0798667d6caf1f567b562872fc3e91136ea4bf6ac07f5c442c651010c0

  • Size

    816KB

  • Sample

    241003-hx8elavapc

  • MD5

    cafe56b78b18bfb7e29cadd6f4372135

  • SHA1

    df173f6e96f9e1c3da18a60f98fb9cc25984cdff

  • SHA256

    e1a37c0798667d6caf1f567b562872fc3e91136ea4bf6ac07f5c442c651010c0

  • SHA512

    a91457a4d9672c339e39cd47ea0b555ee109cb898e63525a32f359928a21a5f9fe7fbd4400352bddde6809f0f05fac99a34209303f5303bd4dad0ab223b42d4b

  • SSDEEP

    12288:ToBFxtY+tQci/OeLtxRXkf8cZMQ3X3r5/MStTClsNH8kYkXuxKxUc4yyFhT:0fzxNi5RXkGQnldJm3kxXJyFt

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.awaratrendz.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Q&N.)e{R7G^]

Extracted

Family

vipkeylogger

Targets

    • Target

      offer.pdf.exe

    • Size

      1.1MB

    • MD5

      ddd764f5db42b068e1d14bdb8e89e32e

    • SHA1

      8bea1272325ac17dabd0f820e2e822035222bc13

    • SHA256

      80901284eab8de2631adda7fd1f089640c1c5891f30a2c2de8c77c293d3a5e11

    • SHA512

      b938f0d6a8d2a4f933c659576b711fa5691f203161ad2e8b2c2f96fb225446f131d2b2afb0d4964cccfa03e5e6247b763d2d82f19d6ff813cb0cbef09ea365db

    • SSDEEP

      12288:Tu9e78iSqcgdCXBeOe/Zyt//EFz6s1x5/MctTWlMXH8TxoRDM02E3s4TmO9CwXtH:+u8gcRcZyFMF6spxJC/TyRoVE3b

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks