General
-
Target
Purchase order Coloplast AS RFQ 10059170.docx
-
Size
458KB
-
Sample
241023-p5vl2ashlq
-
MD5
b95c7303672b29595e704b80697dec29
-
SHA1
62e5567be424853e5f5e72c8d82c077fb5185812
-
SHA256
6e53e98fc01dd05fd91f377afadd8b75a6396958986ea211d879a4e3c713f323
-
SHA512
e9da95e3a678b1f49bac3a3e06065bdd0a9734daab356ad57ac8102a03697fc7a2edcb26c2f32bc948dfc76befe3c291e57b640c7f7fd999730c8f11b29d2838
-
SSDEEP
6144:p1bUb0cVLNEzYvRSPlaMXKaAi69qltTGSmNZ509tmYL6qoPQ7tmYB/l2mDlJjAIz:1kF5SPMM6I9X4X69mrm9Bt2mhW8G0Y6
Static task
static1
Behavioral task
behavioral1
Sample
Purchase order Coloplast AS RFQ 10059170.docx
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Purchase order Coloplast AS RFQ 10059170.docx
Resource
win10v2004-20241007-en
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
tonicables.top - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@ - Email To:
[email protected]
Targets
-
-
Target
Purchase order Coloplast AS RFQ 10059170.docx
-
Size
458KB
-
MD5
b95c7303672b29595e704b80697dec29
-
SHA1
62e5567be424853e5f5e72c8d82c077fb5185812
-
SHA256
6e53e98fc01dd05fd91f377afadd8b75a6396958986ea211d879a4e3c713f323
-
SHA512
e9da95e3a678b1f49bac3a3e06065bdd0a9734daab356ad57ac8102a03697fc7a2edcb26c2f32bc948dfc76befe3c291e57b640c7f7fd999730c8f11b29d2838
-
SSDEEP
6144:p1bUb0cVLNEzYvRSPlaMXKaAi69qltTGSmNZ509tmYL6qoPQ7tmYB/l2mDlJjAIz:1kF5SPMM6I9X4X69mrm9Bt2mhW8G0Y6
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2