General

  • Target

    bccb0ccb0f6f7ed80d4f2a27053febad9fbf4aa00ce438cf52b629cd12d1e0d3.vbs

  • Size

    344KB

  • Sample

    241031-echfws1jcl

  • MD5

    9654b19bdda7ce4856861e8e46c17ccf

  • SHA1

    7d7dd29dacd5badbf45337998f8ba44faabafe31

  • SHA256

    bccb0ccb0f6f7ed80d4f2a27053febad9fbf4aa00ce438cf52b629cd12d1e0d3

  • SHA512

    5335c6087d4f6112446e61f8dedacf43c5168c824d43f5991479ed85a0f879a633051af2595b719dfaac7abb54f5a55291c380bbb1d0728aeae609781c64f53a

  • SSDEEP

    6144:En64ik47Q3WAFLOgL6hPnAIjxnH7sjS3xcrl0ZIRN2XrwozRMeqzAv+qmXpiEcI7:ZgcgL8jD/wGmzcspqU0JuR

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      bccb0ccb0f6f7ed80d4f2a27053febad9fbf4aa00ce438cf52b629cd12d1e0d3.vbs

    • Size

      344KB

    • MD5

      9654b19bdda7ce4856861e8e46c17ccf

    • SHA1

      7d7dd29dacd5badbf45337998f8ba44faabafe31

    • SHA256

      bccb0ccb0f6f7ed80d4f2a27053febad9fbf4aa00ce438cf52b629cd12d1e0d3

    • SHA512

      5335c6087d4f6112446e61f8dedacf43c5168c824d43f5991479ed85a0f879a633051af2595b719dfaac7abb54f5a55291c380bbb1d0728aeae609781c64f53a

    • SSDEEP

      6144:En64ik47Q3WAFLOgL6hPnAIjxnH7sjS3xcrl0ZIRN2XrwozRMeqzAv+qmXpiEcI7:ZgcgL8jD/wGmzcspqU0JuR

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks