General

  • Target

    274886fceb562b62f7c9047ea003e7cb.bin

  • Size

    902KB

  • Sample

    241024-bg4cdaxdnf

  • MD5

    11449233cda43c540d0e705b11bf8557

  • SHA1

    4b10273e57d2b4907554594608bd5d1053a77918

  • SHA256

    3c2c4a3ef0e5b9fe5aba495db49cb2648c16677fa1ed900bb59ddba63e5ae2ae

  • SHA512

    a2211be54f06a5ec5f4964550bce275cc94cbd7b4c70e2897c59874087df10debf93831430327093144c292c035c6b742e341ea3f87c634e6cea3cd9d29483dc

  • SSDEEP

    12288:XMDDEwtwPheX7eca0JxaPLBxmt1caSPnMWkRjsvV6YNW8+9znkYBaw6WFYg2j7P/:X+hwCH6PLzgaAZQ6YV+BnRoUv4DqCh

Malware Config

Extracted

Family

vipkeylogger

Credentials
C2

https://api.telegram.org/bot7323823089:AAFBRsTW94zIpSoDS8yfGsotlQLqF2I6TU0/sendMessage?chat_id=5013849544

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.vvtrade.vn
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    qVyP6qyv6MQCmZJBRs4t

Targets

    • Target

      1ecf2326311e2c2e98ec0548958da41dafcc961c9ec07088c0c646445f51a30a.exe

    • Size

      1.2MB

    • MD5

      274886fceb562b62f7c9047ea003e7cb

    • SHA1

      4e08243ed9caf495ad6337029aad1ed207fe6a52

    • SHA256

      1ecf2326311e2c2e98ec0548958da41dafcc961c9ec07088c0c646445f51a30a

    • SHA512

      01544cf243f46ce27c59fc3ecb91df7941142d87260fae0c4c68191f6c1712e3f055040098bae7969200ea810daf03633937e6b9d194add7be0c46a14e3df2a6

    • SSDEEP

      24576:ffmMv6Ckr7Mny5QLjGFLhUQkAO6AS2GEuY5++o+:f3v+7/5QLcOYO6eLrk+

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks