General

  • Target

    24102024_1518_24102024_PIOE56709876780002.doc.z

  • Size

    828KB

  • Sample

    241024-sp4fsawcqp

  • MD5

    a5109406c4805f77e61578c454561cb7

  • SHA1

    e87c86dda88add7c6b65dd91ddea046f1d038d02

  • SHA256

    6bb4a893e9ff53ecd6d254144772d82f3bf5aa12e0844a40f5c8c4a09441d743

  • SHA512

    dc56df67b65c213e2ebfc77badcb1c2eaea2ebc5e8bba940d00d7b37ad02453215d90f2653531e8a4b71e6e97ed5df96b377dcaf792da390dcad273a4b725bc6

  • SSDEEP

    12288:mHoeBccgwo0p8WDeARmi/DFz8EUsRJPC5LJvlwr7/oLw/h+PdTgaCL4qxuki8AmR:mIGccgop8WfX/DKE5JC5LJvGguOAHcaP

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendMessage?chat_id=6443825857

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.vvtrade.vn
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    qVyP6qyv6MQCmZJBRs4t

Targets

    • Target

      PIOE56709876780002.exe

    • Size

      1.2MB

    • MD5

      ea3273984038ab81206e74dcf5c3f04e

    • SHA1

      4cfedc14c31c4364382bf2865a14f82f3d2188db

    • SHA256

      68a1fa9a0a9dc5fbd2746b1103dc4ced27824bf12d99c50eedad5b19a3f640de

    • SHA512

      73d917ec4226de83d4b64e90d1d13243092ab21f43526bba9fbff27674640f2efb92462ba61ada50c9467501cbc12d2e7073a2c59e4b076a378f623430ff0796

    • SSDEEP

      24576:5fmMv6Ckr7Mny5QtMdiJJCtLxLe6aiCH2aE:53v+7/5QtMDLheMY2/

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks