General

  • Target

    295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N

  • Size

    547KB

  • Sample

    241003-x5j5asseqm

  • MD5

    7c9c30680dd2f61cd7f5a93527cd2200

  • SHA1

    2f1121e93475e3dba2d25ed10fc8fd1ae3d2e982

  • SHA256

    295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83

  • SHA512

    dd233d82e64c9be1e89d6d6670e0d10e411a82d27205010e98a1a070e01a2a392c1d903749474319bb3a59bc57f0bcf4e829128de5226f51182ef4b962eb819e

  • SSDEEP

    6144:UvEN2U+T6i5LirrllHy4HUcMQY6Fn5wnb+gWxb3:GENN+T5xYrllrU7QY6Nb3

Malware Config

Extracted

Family

vipkeylogger

Targets

    • Target

      295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N

    • Size

      547KB

    • MD5

      7c9c30680dd2f61cd7f5a93527cd2200

    • SHA1

      2f1121e93475e3dba2d25ed10fc8fd1ae3d2e982

    • SHA256

      295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83

    • SHA512

      dd233d82e64c9be1e89d6d6670e0d10e411a82d27205010e98a1a070e01a2a392c1d903749474319bb3a59bc57f0bcf4e829128de5226f51182ef4b962eb819e

    • SSDEEP

      6144:UvEN2U+T6i5LirrllHy4HUcMQY6Fn5wnb+gWxb3:GENN+T5xYrllrU7QY6Nb3

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks