Overview

overview

10

Static

static

3

RFQ 2413AM-KE2800.scr

windows7-x64

10

RFQ 2413AM-KE2800.scr

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    RFQ 2413AM-KE2800_1.cab.rar

  • Size

    679KB

  • Sample

    241009-wmfhqa1amr

  • MD5

    5ec04b904f4de409c5b147ced39e5640

  • SHA1

    089eccf6fcee18c090043794068dd2743caae2d2

  • SHA256

    93321f19971c78dfb64536e7e32fa8247fde0c62782d9db85a691fdc82a00833

  • SHA512

    7dc897c37a548bcbfe4b7e127cc71b9aba2c7e66516ca1a532b257a6d333d8fdde19fdece7d44117e0edacb0aa317869a4b597a467f27651d36aa31f78047ad4

  • SSDEEP

    12288:Z2MwHCwjdTm3R8v2yxngkgy/Q9mAoO0fHZBN8dzBi6lHiF/t:Z2MwHxdwR8v2TyALoO0fHZSB/cFl

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7371892501:AAE6c_q-yLsVj82ZZEmMuRlQtTm95MBjCz0/sendMessage?chat_id=6750192797

Targets

    • Target

      RFQ 2413AM-KE2800.scr

    • Size

      842KB

    • MD5

      261a093587e5f10ce389ace0cae77c90

    • SHA1

      f2a2abf88c0f6943b75c67ed3eea42428258ae5e

    • SHA256

      2c8cf59d58ccdfe9e35850251328241a99b7ebafe85fd5b7dc580db900e31e0f

    • SHA512

      41e64aae00e9e5bdaae34fbc4f9309b598f3444beb18d59686f27eccadd731f475852a7121eeb0de27c2405e741b8ea7b06925f3af72071a212332ac59e9fbb7

    • SSDEEP

      12288:yUmEQEhoN+zwDB0d3Mi6LaiOfHVrdz78a8mUSUFxdpVqWQuZoH:CEQEhoN+zwDB28idr5fUSUdVDQuZ

    Score
    10/10
    vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks