General

  • Target

    Purchase order Coloplast AS RFQ 10059170.docx

  • Size

    458KB

  • Sample

    241023-p5vl2ashlq

  • MD5

    b95c7303672b29595e704b80697dec29

  • SHA1

    62e5567be424853e5f5e72c8d82c077fb5185812

  • SHA256

    6e53e98fc01dd05fd91f377afadd8b75a6396958986ea211d879a4e3c713f323

  • SHA512

    e9da95e3a678b1f49bac3a3e06065bdd0a9734daab356ad57ac8102a03697fc7a2edcb26c2f32bc948dfc76befe3c291e57b640c7f7fd999730c8f11b29d2838

  • SSDEEP

    6144:p1bUb0cVLNEzYvRSPlaMXKaAi69qltTGSmNZ509tmYL6qoPQ7tmYB/l2mDlJjAIz:1kF5SPMM6I9X4X69mrm9Bt2mhW8G0Y6

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      Purchase order Coloplast AS RFQ 10059170.docx

    • Size

      458KB

    • MD5

      b95c7303672b29595e704b80697dec29

    • SHA1

      62e5567be424853e5f5e72c8d82c077fb5185812

    • SHA256

      6e53e98fc01dd05fd91f377afadd8b75a6396958986ea211d879a4e3c713f323

    • SHA512

      e9da95e3a678b1f49bac3a3e06065bdd0a9734daab356ad57ac8102a03697fc7a2edcb26c2f32bc948dfc76befe3c291e57b640c7f7fd999730c8f11b29d2838

    • SSDEEP

      6144:p1bUb0cVLNEzYvRSPlaMXKaAi69qltTGSmNZ509tmYL6qoPQ7tmYB/l2mDlJjAIz:1kF5SPMM6I9X4X69mrm9Bt2mhW8G0Y6

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks