Overview

overview

10

Static

static

1

dfcugh.vbs

windows7-x64

10

dfcugh.vbs

windows10-2004-x64

10

Resubmissions

07-11-2024 16:02

241107-tg9hhavgnl 10

07-11-2024 15:49

241107-s9mzjavfng 10

07-11-2024 11:30

241107-nl46pa1jdz 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dfcugh.vbs

  • Size

    13KB

  • Sample

    241107-tg9hhavgnl

  • MD5

    4f3e6d1619f31390de9a461391f10dba

  • SHA1

    9d90fa6b3bb7809fc800751c6cfc41dc68742a84

  • SHA256

    2202962f09e94846b9677dda2358f0f04871bcd02c6ac3c5f3f27e85982d26c6

  • SHA512

    f609e24d91a9ee08fe9b89f4909eb8745045d67b0b20d187d4586f5c382cefc2af96baacd1125aef96b71cc4eeeefdf0baa4467a1bb66637edfedacca9615427

  • SSDEEP

    384:CiQvc9iQZ4T6+wi7Ahrd5RxEA/mywQfD6U512ChMsB+5wZ/f3CPR:CiQk9iQzn512ChMsB+4/fyPR

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Family

vipkeylogger

Targets

    • Target

      dfcugh.vbs

    • Size

      13KB

    • MD5

      4f3e6d1619f31390de9a461391f10dba

    • SHA1

      9d90fa6b3bb7809fc800751c6cfc41dc68742a84

    • SHA256

      2202962f09e94846b9677dda2358f0f04871bcd02c6ac3c5f3f27e85982d26c6

    • SHA512

      f609e24d91a9ee08fe9b89f4909eb8745045d67b0b20d187d4586f5c382cefc2af96baacd1125aef96b71cc4eeeefdf0baa4467a1bb66637edfedacca9615427

    • SSDEEP

      384:CiQvc9iQZ4T6+wi7Ahrd5RxEA/mywQfD6U512ChMsB+5wZ/f3CPR:CiQk9iQzn512ChMsB+4/fyPR

    Score
    10/10
    executionvipkeyloggercollectiondiscoverykeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks