General
-
Target
SWIFT COPY 2.docx
-
Size
459KB
-
Sample
241104-l37xss1mgr
-
MD5
fd1963efc96cae15689f5e7eb9664b4b
-
SHA1
b4b13fc72a4bab883ae9ec4efc84cfe48c6b8d8a
-
SHA256
e763827e8385a621c0c28456d7c3fd0393b01d542b52a2b18bd5061492b97662
-
SHA512
50f91dba0d6180e02b8b1d5345ae024c9ed24666fb6c54e22798da122276dd1e1e85a43126826d9456e4db5e21fb762e9797d50f323cf498807d860935c04992
-
SSDEEP
6144:kMlcbR5HastSFXbqUAbqUAbqUvyLE8IIIIIW0ru0rqme6eeCe9vCeXhdrJ9tmYLk:/ARtUVhpr/rqIXt9mrm9Bt2mhW8G0YX
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.covid19support.top - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@ - Email To:
[email protected]
Targets
-
-
Target
SWIFT COPY 2.docx
-
Size
459KB
-
MD5
fd1963efc96cae15689f5e7eb9664b4b
-
SHA1
b4b13fc72a4bab883ae9ec4efc84cfe48c6b8d8a
-
SHA256
e763827e8385a621c0c28456d7c3fd0393b01d542b52a2b18bd5061492b97662
-
SHA512
50f91dba0d6180e02b8b1d5345ae024c9ed24666fb6c54e22798da122276dd1e1e85a43126826d9456e4db5e21fb762e9797d50f323cf498807d860935c04992
-
SSDEEP
6144:kMlcbR5HastSFXbqUAbqUAbqUvyLE8IIIIIW0ru0rqme6eeCe9vCeXhdrJ9tmYLk:/ARtUVhpr/rqIXt9mrm9Bt2mhW8G0YX
Score10/10-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-