vipkeylogger | 66ef9dcb6a5143453daaeced545c270e3a97de89a3289f7e3effce1540135ee0 | Triage

Sharing

General

Target

66ef9dcb6a5143453daaeced545c270e3a97de89a3289f7e3effce1540135ee0.vbs
Size

519KB
Sample

241026-b9evgsvpdn
MD5

cc7b8ff842d99296d7ec347eb9678e09
SHA1

40f2d2d3747af208c4feaeb51aca9b1dfcb62000
SHA256

66ef9dcb6a5143453daaeced545c270e3a97de89a3289f7e3effce1540135ee0
SHA512

9b6741e1cc073c4ce8709613da986857388e4844a74279f88cf50324f10916c4e052cdd2e485b9c09f5e33b8e603e6a0504899ac670320a636e89ba15a218368
SSDEEP

6144:De/79XfNb0Z1h/csXSWmT9lBiNo4LSrp17wHWmQUnbzN2TxOiSWGIhEmrm5daIug:2Rc1RYnL4WrUHLhn1XW+mr+yrs96g

Score

10^/10

vipkeylogger collection discovery execution keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.punoterrahotel.com
Port:
587
Username:
[email protected]
Password:
Titikakapu@2023
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mail.punoterrahotel.com
Port:
587
Username:
[email protected]
Password:
Titikakapu@2023

Targets

- Target
  
  66ef9dcb6a5143453daaeced545c270e3a97de89a3289f7e3effce1540135ee0.vbs
- Size
  
  519KB
- MD5
  
  cc7b8ff842d99296d7ec347eb9678e09
- SHA1
  
  40f2d2d3747af208c4feaeb51aca9b1dfcb62000
- SHA256
  
  66ef9dcb6a5143453daaeced545c270e3a97de89a3289f7e3effce1540135ee0
- SHA512
  
  9b6741e1cc073c4ce8709613da986857388e4844a74279f88cf50324f10916c4e052cdd2e485b9c09f5e33b8e603e6a0504899ac670320a636e89ba15a218368
- SSDEEP
  
  6144:De/79XfNb0Z1h/csXSWmT9lBiNo4LSrp17wHWmQUnbzN2TxOiSWGIhEmrm5daIug:2Rc1RYnL4WrUHLhn1XW+mr+yrs96g
Score

10^/10

vipkeylogger discovery execution keylogger stealer collection
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

vipkeyloggerdiscoveryexecutionkeyloggerstealer

behavioral2

vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer