General

  • Target

    4060b794abc0cb46e4a243038c201fd55e01842f8c475cf2524bbe2447125105.doc

  • Size

    581KB

  • Sample

    241005-bmewza1drc

  • MD5

    205e22dba6c73c938c19d5a9b211f1e2

  • SHA1

    38603ef00f1582fd6d2152baec0bbc328e654a7d

  • SHA256

    4060b794abc0cb46e4a243038c201fd55e01842f8c475cf2524bbe2447125105

  • SHA512

    dfa52c69248907ef229377d4bd6b1dfef99af6f247569fe1046fda01da31db607d53f6ef5c7ce9eb9c3058848c8b4946ad8f350ddd68108c3cd8b77a9c017603

  • SSDEEP

    6144:W2wAYwAYwAYwAYwAmy+402BXGmZviZk259Utd1gHv:W5

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      4060b794abc0cb46e4a243038c201fd55e01842f8c475cf2524bbe2447125105.doc

    • Size

      581KB

    • MD5

      205e22dba6c73c938c19d5a9b211f1e2

    • SHA1

      38603ef00f1582fd6d2152baec0bbc328e654a7d

    • SHA256

      4060b794abc0cb46e4a243038c201fd55e01842f8c475cf2524bbe2447125105

    • SHA512

      dfa52c69248907ef229377d4bd6b1dfef99af6f247569fe1046fda01da31db607d53f6ef5c7ce9eb9c3058848c8b4946ad8f350ddd68108c3cd8b77a9c017603

    • SSDEEP

      6144:W2wAYwAYwAYwAYwAmy+402BXGmZviZk259Utd1gHv:W5

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks