Overview

overview

10

Static

static

3

Shipping D...84.exe

windows7-x64

10

Shipping D...84.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a2eecfa58a1a154e79979fa5f3ff39269d33e3624446bb60ce83800cc3ba19f8.r00

  • Size

    667KB

  • Sample

    241030-dq9lvsvhrp

  • MD5

    83e2770942c89e3e629b22eddf508888

  • SHA1

    0103cb5a5f590dfab0bf4b90f54580f722124412

  • SHA256

    a2eecfa58a1a154e79979fa5f3ff39269d33e3624446bb60ce83800cc3ba19f8

  • SHA512

    c733afaaaec89c958e68414df97faa855017882cac8c359b26503031df537befdf60b724156ec163571bee452f1585cc2ec0c0c91bf94296a8e5027dfcd83b5b

  • SSDEEP

    12288:W0rkwtEB9Hri/oQt3EsHuApG20eKGf3CnIPf9r//kSIsCDpwJFCTH5thBnnQTfd:vqB9jIUu/4207+ysjkS1KGF2lBnnQzd

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.bulatpharmaceutical.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    XRM)dWOF&~z3

Targets

    • Target

      Shipping Documents 240384.exe

    • Size

      771KB

    • MD5

      70338f79bb11ee88003ea5f2d0d363c1

    • SHA1

      85d426e23b7223faacea8b78c6de345098ccfbad

    • SHA256

      50bcb2857ce3d005fad3479253fa1c7a8cf0cd667c16d9d7c292d9307011dadf

    • SHA512

      bace26acc95d929c703e437d5adc360bb54190aaa6f054ff4e77a9bc183bf17603f4a806344de80538c0669ede1c5f085bae9c2a355cbfdbd3cf2d08c2df8295

    • SSDEEP

      12288:113LrfXYb+9JKV6WpWlCFl2SQ2gkXb4uvzt0FpIrlIK25FBc:nYb+9i11HDIkXb4gztLIDFBc

    Score
    10/10
    vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks