General

  • Target

    bnmagodmnb.doc

  • Size

    674KB

  • Sample

    241004-jtr4wawhpd

  • MD5

    6f937970f5ba3d9da4b66f1bc7c5e820

  • SHA1

    403a9e727a52c64060b9e02a0aa79c8fd46506d8

  • SHA256

    52ba6d07874484044d15877d81ae2606501881571627174c044f87908d7bdb01

  • SHA512

    458b5283b73d64e739548bbe9eb358a8cdd95a1c5491660855ca7a937d24959cd81827503852b2225a6a12f3e37c7ec57f65ed89f431f161737a148ccc3b86dc

  • SSDEEP

    3072:OwAlawAlawAlwGruaz9ezP6KVcKLB4xJ/9NczzH4InNFM+bsbraTH8:OwAYwAYwATVezP6Kl+xJ/T4nwHbraTH8

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      bnmagodmnb.doc

    • Size

      674KB

    • MD5

      6f937970f5ba3d9da4b66f1bc7c5e820

    • SHA1

      403a9e727a52c64060b9e02a0aa79c8fd46506d8

    • SHA256

      52ba6d07874484044d15877d81ae2606501881571627174c044f87908d7bdb01

    • SHA512

      458b5283b73d64e739548bbe9eb358a8cdd95a1c5491660855ca7a937d24959cd81827503852b2225a6a12f3e37c7ec57f65ed89f431f161737a148ccc3b86dc

    • SSDEEP

      3072:OwAlawAlawAlwGruaz9ezP6KVcKLB4xJ/9NczzH4InNFM+bsbraTH8:OwAYwAYwATVezP6Kl+xJ/T4nwHbraTH8

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks