General

  • Target

    Urgent inquiry for quotation.7z

  • Size

    848KB

  • Sample

    241003-xsveha1hml

  • MD5

    5e202e2b5871f7736b33a177b6a51157

  • SHA1

    25deda71a75b374782dacbbaf533ae1ac2786491

  • SHA256

    d407f1a0854712d59ca48e524957781374828d86fab2b73305838235a9093b1a

  • SHA512

    afcedf94ca5e6a8e0e90687d600d683fe50713dab572f9c7a81a4ff22030a6f7727d824328734ee375a07c8c97e7d9af51958a552e6a084312012dabf5865378

  • SSDEEP

    24576:jaPv/3RMg41Bb4ACMnXT7/u4R5/a6Rq3abFf3Y5:j6v/BMT1LTRtdqKto5

Malware Config

Extracted

Family

vipkeylogger

Credentials
C2

https://api.telegram.org/bot7323823089:AAFBRsTW94zIpSoDS8yfGsotlQLqF2I6TU0/sendMessage?chat_id=5013849544

Targets

    • Target

      Urgent inquiry for quotation.exe

    • Size

      1.2MB

    • MD5

      99f8afeaf690544887a8bfc9243f3c7f

    • SHA1

      49ac8b9909d9c429530860e851a81f1262a5ce14

    • SHA256

      cc4e80189451b050cc7bc90aa3fa787a4e3a50a0cc6f845fa68bdc849b1f5d14

    • SHA512

      02b7f53d0430b172599f5449b78b83fe722fa5443e02e9b6b116a964d1cb008c5c0dd5d0909930f66c37bef6214bbb5d1c3f440ccb6e930f68462ba677d87e0a

    • SSDEEP

      24576:ffmMv6Ckr7Mny5QLpJtGoBCZNyozGcuYViYxy7Y5b:f3v+7/5QLpJaZNKcoYxPB

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks