General

  • Target

    Remmitance for Invoice INV67537829 Payment.pdf.exe

  • Size

    856KB

  • Sample

    241021-q8zwlawenh

  • MD5

    86632775e2f5776bfce4c7e2df632903

  • SHA1

    921d772df60b49676ae2c512fcc15e86d33965ca

  • SHA256

    e1f1e5970511d1bebefffb1d2da35cc65cd287d9c7be042c194fa8f8dce37cec

  • SHA512

    e3169916e2144e9f64e2eafa13805c231713733fc213e5827f6d38af3ff47383eee819389e8df9265067f374e1f93432e5288175c9c6ba3d09721a67b58caeec

  • SSDEEP

    24576:/aApdWAzcP5hb7e79uU9Pq/33Grj+alCJmvulW6Nd0v6:ppd1cRN6pMS+m7mwMA6

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      Remmitance for Invoice INV67537829 Payment.pdf.exe

    • Size

      856KB

    • MD5

      86632775e2f5776bfce4c7e2df632903

    • SHA1

      921d772df60b49676ae2c512fcc15e86d33965ca

    • SHA256

      e1f1e5970511d1bebefffb1d2da35cc65cd287d9c7be042c194fa8f8dce37cec

    • SHA512

      e3169916e2144e9f64e2eafa13805c231713733fc213e5827f6d38af3ff47383eee819389e8df9265067f374e1f93432e5288175c9c6ba3d09721a67b58caeec

    • SSDEEP

      24576:/aApdWAzcP5hb7e79uU9Pq/33Grj+alCJmvulW6Nd0v6:ppd1cRN6pMS+m7mwMA6

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Accesses Microsoft Outlook profiles

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks