General

  • Target

    22102024_1613_21102024_RF_DHL KULI500796821.PDF.gz

  • Size

    697KB

  • Sample

    241022-tpem4awbkr

  • MD5

    cd2017d41836fe93fd3bb000a4943578

  • SHA1

    c31efc72734207e3d336c76d252625151e403410

  • SHA256

    ab263c3f913b42d9c1e9a8f2e72ed410bfd03fd6b714c2273264425a1c06e3c3

  • SHA512

    44439379807f16b27f500ff73b93860dd8b13b46cc4b8f8c34ae59c20f1ad5f4d8d4c16ae7cfb6f36961367f9274c01a7ab6e1050c6bbab643bdaeb51f4eb501

  • SSDEEP

    12288:+SJMoulXZvzf+w4Ie8JO65qprJOQo/soP+q9WnACSaBRv1wUU00atM:+SJxu7iaF8m/sMKnACdR9w0q

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      RF_DHL KULI500796821.PDF.exe

    • Size

      747KB

    • MD5

      27950496141d3583eafb12c7b42ac9a5

    • SHA1

      708989cb471cf641b34587ac22c110585aeaae76

    • SHA256

      a4f9afdb0335a81fbca040cbebd5a514e1e11d668022048823e465b4c752793d

    • SHA512

      dbfd85fe83a6cb45823305d63286fd15f6b9dce76d4705bfcd30c73510a683b7f414882c147e4f9928bd52398de5a47010f9a09a02a90931aa8f8ec91a7a3f4e

    • SSDEEP

      12288:MMykhMOoltiJVv+64qYAJS6FQHRJqc2pis3+m9QXM88Ut7hSLTZ87kR:nykh5oDiJkQZG8piqmXM8bhSR5

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks