vipkeylogger | a2ef6e1f58a00b5d6523987df95a7ffc052a89470f97cd228a14fbccff113237 | Triage

Sharing

General

Target

DistribucionesEnelcaJanS.L.PEDIDO456799.vbs
Size

529KB
Sample

241023-sfclpswela
MD5

3f13eef87515d70fbdfedc6de7b6efc4
SHA1

8d2394c2e4daada6b8d9af1b60d8d11130ac1845
SHA256

a2ef6e1f58a00b5d6523987df95a7ffc052a89470f97cd228a14fbccff113237
SHA512

585541e886e8175def7f0e4d92c2ad39c065f8777a113c8738a2aaade3dc96592572265f1e3511718dcdd0703730d530fa13b88c4773ecd2a2ef181c5886de7a
SSDEEP

6144:o0/75XG/Kk33JliXA0PsaaBBWiQP88BNkmxylnwa4j3Ms/+UrJ/WzukhWwP+m55k:BNU3/G6PQU8/xCnv4Y4lWzCwPHtvP9Dg

Score

10^/10

vipkeylogger collection discovery execution keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.daniberto.com
Port:
587
Username:
[email protected]
Password:
Fabrica1221.
Email To:
[email protected]

Targets

- Target
  
  DistribucionesEnelcaJanS.L.PEDIDO456799.vbs
- Size
  
  529KB
- MD5
  
  3f13eef87515d70fbdfedc6de7b6efc4
- SHA1
  
  8d2394c2e4daada6b8d9af1b60d8d11130ac1845
- SHA256
  
  a2ef6e1f58a00b5d6523987df95a7ffc052a89470f97cd228a14fbccff113237
- SHA512
  
  585541e886e8175def7f0e4d92c2ad39c065f8777a113c8738a2aaade3dc96592572265f1e3511718dcdd0703730d530fa13b88c4773ecd2a2ef181c5886de7a
- SSDEEP
  
  6144:o0/75XG/Kk33JliXA0PsaaBBWiQP88BNkmxylnwa4j3Ms/+UrJ/WzukhWwP+m55k:BNU3/G6PQU8/xCnv4Y4lWzCwPHtvP9Dg
Score

10^/10

vipkeylogger discovery execution keylogger stealer collection
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

vipkeyloggerdiscoveryexecutionkeyloggerstealer

behavioral2

vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer