General

  • Target

    Pedido de Cotação-24110004.vbs

  • Size

    27KB

  • Sample

    241104-sklp6sscqr

  • MD5

    a09615be426add251a8564ea2ac62009

  • SHA1

    86619d4a1ae0b6ff354b167c9fd1efd881239dbb

  • SHA256

    4ae63307fe43b45affde507b3254404169c3ffa8709b8e321b0726e63ab955ab

  • SHA512

    7bfb8ca91a2149bac5b9bcddaf6c63fb4db447c4953587ce942abe87d72cd2c2c9b64ede2bc433b410e80723213a1abbc2e13c826d8e7fcf53876a59665d3994

  • SSDEEP

    384:tTl3OQDef2EDx+X+RHJaHgrXg7h9SNsZ4T:tTl3Zef2EkX+RHJaHgrXg7h9SNm4T

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      Pedido de Cotação-24110004.vbs

    • Size

      27KB

    • MD5

      a09615be426add251a8564ea2ac62009

    • SHA1

      86619d4a1ae0b6ff354b167c9fd1efd881239dbb

    • SHA256

      4ae63307fe43b45affde507b3254404169c3ffa8709b8e321b0726e63ab955ab

    • SHA512

      7bfb8ca91a2149bac5b9bcddaf6c63fb4db447c4953587ce942abe87d72cd2c2c9b64ede2bc433b410e80723213a1abbc2e13c826d8e7fcf53876a59665d3994

    • SSDEEP

      384:tTl3OQDef2EDx+X+RHJaHgrXg7h9SNsZ4T:tTl3Zef2EkX+RHJaHgrXg7h9SNm4T

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks