General

  • Target

    bbbc844bf82ea997ab5cfd67fa2cf2dfd258238fad3aae60f79c83e18b53e17a

  • Size

    809KB

  • Sample

    241003-nadvcs1apg

  • MD5

    d54cb71dd5cb5f6526caba0af47a7bca

  • SHA1

    091a8401d299bbfca6df7a64e85f183e06127024

  • SHA256

    bbbc844bf82ea997ab5cfd67fa2cf2dfd258238fad3aae60f79c83e18b53e17a

  • SHA512

    b463634298a290e1dc3cea637777011b3290d8a796ee57efa03a1aff6baa9ae71e140878c0f905d3b0e4f9a32cbec79ae43a8749cc8a47f914d819fc26747f46

  • SSDEEP

    12288:3o2HP4L6cOthgBv1UocJ0UJ6oXRs8IM4yCv51ivR+8tqcqdQ0iVBYTpKj9mYvCBU:V4Lxq2MocOogxXvuZaRu0kKfU

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7981479098:AAGlhAiCCr0chNTC0W-0deoiSiqAaLukVdA/sendMessage?chat_id=7639257039

Targets

    • Target

      DOC_1WD8M_P7JX9_S3DGB.scr

    • Size

      1.9MB

    • MD5

      a026b6b33da23ff080902254c9da5538

    • SHA1

      8e8340d50402e439d97bbffcf55e1ce4311d30e3

    • SHA256

      386b1d73db67e0cb418ffe97a6d93fb502cde6d3ba537d67bd626a21820e12da

    • SHA512

      8050781a72203fff34c0bb6b74914c76076806ebd6bc046567eb30617f024ff9c7dfadf1d0144e113586b8af039264b25158222e8e95fa0c40b776646319c1e3

    • SSDEEP

      24576:NlsveSgHNM3GTtQHy4ZIs7VxCGDwyrfPeL8wI:NtM3GtQHVUafPeG

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks