vipkeylogger | 0bf7c4713620f1c36fd682cfbc84c20664cde9ae5731ffee6ad57dbd711dc237 | Triage

Sharing

General

Target

Permintaan Untuk Sebutharga RFQ 087624.vbs
Size

34KB
Sample

241104-hr3l6azjbl
MD5

cd5285fd6117aced83552e3a0ff857f4
SHA1

2209301c58e66ec7effd3e3135bb4561c61989fc
SHA256

0bf7c4713620f1c36fd682cfbc84c20664cde9ae5731ffee6ad57dbd711dc237
SHA512

95e9c96e457e7863bc521909462cd56dc36c39118ad0c450a9147db8165f45c2a0054ef1c314ea3d36009d399db06f75ab60081e32e760027c1e6380b3e1302f
SSDEEP

192:FwOg+1pDFSO662Fm4OtXPn+a4qsXiKOIZ4gWhCDBgCTZ93DUKH0LB+4z2qDAn83M:F3z2CtXP+aEbZzLdgVNz2qDrkayYcd

Score

10^/10

vipkeylogger collection discovery execution keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.recsb.com
Port:
587
Username:
[email protected]
Password:
1=vI*r6^
Email To:
[email protected]

Targets

- Target
  
  Permintaan Untuk Sebutharga RFQ 087624.vbs
- Size
  
  34KB
- MD5
  
  cd5285fd6117aced83552e3a0ff857f4
- SHA1
  
  2209301c58e66ec7effd3e3135bb4561c61989fc
- SHA256
  
  0bf7c4713620f1c36fd682cfbc84c20664cde9ae5731ffee6ad57dbd711dc237
- SHA512
  
  95e9c96e457e7863bc521909462cd56dc36c39118ad0c450a9147db8165f45c2a0054ef1c314ea3d36009d399db06f75ab60081e32e760027c1e6380b3e1302f
- SSDEEP
  
  192:FwOg+1pDFSO662Fm4OtXPn+a4qsXiKOIZ4gWhCDBgCTZ93DUKH0LB+4z2qDAn83M:F3z2CtXP+aEbZzLdgVNz2qDrkayYcd
Score

10^/10

execution vipkeylogger collection discovery keylogger stealer
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer