General

  • Target

    2024-10-31_e3ad35df252b86660806a6847e9837ba_avoslocker_hijackloader

  • Size

    5.3MB

  • Sample

    241031-c1xvdaxfrd

  • MD5

    e3ad35df252b86660806a6847e9837ba

  • SHA1

    c26298636e80922253c0b6e9cac184ddfe757410

  • SHA256

    08fd9a22fb21886f26cf8597f8829b34fae7bbed628b9bb2a5dfd7b8031da1e1

  • SHA512

    b21f78c48f05bda72e0e54db89b9434a851cdd74cea23d94597145c0a28726e19547b299359b992e82a3a7f892dfd58774dbdcfee0c5f782c1047b877064145c

  • SSDEEP

    98304:5F0lfx2WMXhJcemnW9F0lfx2WMXhJcemnWcOU/jIEeQfoR/IuOFVjUu5:Y9x7ZeiD9x7ZeiLFIF0wu

Malware Config

Extracted

Family

vipkeylogger

Targets

    • Target

      2024-10-31_e3ad35df252b86660806a6847e9837ba_avoslocker_hijackloader

    • Size

      5.3MB

    • MD5

      e3ad35df252b86660806a6847e9837ba

    • SHA1

      c26298636e80922253c0b6e9cac184ddfe757410

    • SHA256

      08fd9a22fb21886f26cf8597f8829b34fae7bbed628b9bb2a5dfd7b8031da1e1

    • SHA512

      b21f78c48f05bda72e0e54db89b9434a851cdd74cea23d94597145c0a28726e19547b299359b992e82a3a7f892dfd58774dbdcfee0c5f782c1047b877064145c

    • SSDEEP

      98304:5F0lfx2WMXhJcemnW9F0lfx2WMXhJcemnWcOU/jIEeQfoR/IuOFVjUu5:Y9x7ZeiD9x7ZeiLFIF0wu

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks