General

  • Target

    8cc53b82d9a58a0341d7d37b92024d00b05fa0839264f45e31165884160cf564N

  • Size

    700KB

  • Sample

    241005-jbh39ashmq

  • MD5

    ff01693e0b3899ffa568ddccecda24a0

  • SHA1

    75ff45a7828cf4e9a90b2e675ab66e76178fa1da

  • SHA256

    8cc53b82d9a58a0341d7d37b92024d00b05fa0839264f45e31165884160cf564

  • SHA512

    3aeb235f1ca155bc4c0ab8e1defafa934850ba0e23aa981075a41cd5206d46b57557c648a9c3885062781f428d02c72b3b3d897d119fc3e734e9095982d96a93

  • SSDEEP

    12288:0dWwUGjw3yDKPjcWOrYgsPNQPRIEdJBrODh5l0xlVvtxU7k4a3cQYzKVoa:8UGOyD4jWrz7PuEdfrOFsBxQkDcQ3oa

Malware Config

Extracted

Family

vipkeylogger

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.jhxkgroup.online
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    7213575aceACE@@

Targets

    • Target

      8cc53b82d9a58a0341d7d37b92024d00b05fa0839264f45e31165884160cf564N

    • Size

      700KB

    • MD5

      ff01693e0b3899ffa568ddccecda24a0

    • SHA1

      75ff45a7828cf4e9a90b2e675ab66e76178fa1da

    • SHA256

      8cc53b82d9a58a0341d7d37b92024d00b05fa0839264f45e31165884160cf564

    • SHA512

      3aeb235f1ca155bc4c0ab8e1defafa934850ba0e23aa981075a41cd5206d46b57557c648a9c3885062781f428d02c72b3b3d897d119fc3e734e9095982d96a93

    • SSDEEP

      12288:0dWwUGjw3yDKPjcWOrYgsPNQPRIEdJBrODh5l0xlVvtxU7k4a3cQYzKVoa:8UGOyD4jWrz7PuEdfrOFsBxQkDcQ3oa

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks