Extracted

• • Target

    30e0259012e5808f7a34b0a9c7fba9194ae40bfa6fcba4a6f28787623a5f8cb1

  • Size

    319KB

  • MD5

    2067ab5c7dccaf617d8bcd49d82377e7

  • SHA1

    41ec569c2e6dde09b588092c01af599fdb8b3101

  • SHA256

    30e0259012e5808f7a34b0a9c7fba9194ae40bfa6fcba4a6f28787623a5f8cb1

  • SHA512

    1db3242c04006754127cbb14e75f4b5558908ae8b79ce9116059cd8d1acaa7787d591e4088b464e44f8dda8bfc2a8209e36246c07adb6c7470035eb6a3a5b193

  • SSDEEP

    6144:107JHBA0B56szCXqqqqqmzYhuO+FLh5C2z9mL9:+d/qYYFNHrz98

  Score

  10^/10

  vipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Abuses OpenXML format to download file from external location

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2