General

  • Target

    af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe

  • Size

    859KB

  • Sample

    241109-dyw1qswgnj

  • MD5

    8cebfa704d3634a606537d895816e5be

  • SHA1

    dbefde135d6f1f08febeec531ae15b053e4afd98

  • SHA256

    af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c

  • SHA512

    edc2ede743b92d89b01ecd1e674d5f5587c428df919954b7463769d9db4468705f362c2fc1d195c5bf34669f8537e264827caeae8ebbf22b2594f08e9757c5e4

  • SSDEEP

    24576:K1r1Fid2Zjri8yfYDFaHHminnen2kXHeDApmFeLW/OMZ:K1r1Fi+ju4Zafni2kX+DApm6

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c.exe

    • Size

      859KB

    • MD5

      8cebfa704d3634a606537d895816e5be

    • SHA1

      dbefde135d6f1f08febeec531ae15b053e4afd98

    • SHA256

      af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c

    • SHA512

      edc2ede743b92d89b01ecd1e674d5f5587c428df919954b7463769d9db4468705f362c2fc1d195c5bf34669f8537e264827caeae8ebbf22b2594f08e9757c5e4

    • SSDEEP

      24576:K1r1Fid2Zjri8yfYDFaHHminnen2kXHeDApmFeLW/OMZ:K1r1Fi+ju4Zafni2kX+DApm6

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks