General

  • Target

    3203bb89b0375b0d039790ecaa9a8b7b812e6934031348a2d508b2a5eb5219bbN

  • Size

    722KB

  • Sample

    241109-vx4smaxpdx

  • MD5

    6c31f17ad8d80dc4fb68cfa4c4198170

  • SHA1

    83b5a2d606109cf89c8ea1e9b3acb1c85dfe5697

  • SHA256

    3203bb89b0375b0d039790ecaa9a8b7b812e6934031348a2d508b2a5eb5219bb

  • SHA512

    fa0cedb852f7e8c411e32641afe8e94e0f9b912bc13ed2f97b5eb3aee325708f6ba0ca2acdca090b8f04501bd378b318d1c058350d9a4ee6c45020b85dafb176

  • SSDEEP

    12288:iUQbEeX/zYMB0NfKRBn48pV9EirzAplEfIN+E8E6GusGx60KDcI:iU0//PBMf4n48p3Ap0E8SuhA5

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      3203bb89b0375b0d039790ecaa9a8b7b812e6934031348a2d508b2a5eb5219bbN

    • Size

      722KB

    • MD5

      6c31f17ad8d80dc4fb68cfa4c4198170

    • SHA1

      83b5a2d606109cf89c8ea1e9b3acb1c85dfe5697

    • SHA256

      3203bb89b0375b0d039790ecaa9a8b7b812e6934031348a2d508b2a5eb5219bb

    • SHA512

      fa0cedb852f7e8c411e32641afe8e94e0f9b912bc13ed2f97b5eb3aee325708f6ba0ca2acdca090b8f04501bd378b318d1c058350d9a4ee6c45020b85dafb176

    • SSDEEP

      12288:iUQbEeX/zYMB0NfKRBn48pV9EirzAplEfIN+E8E6GusGx60KDcI:iU0//PBMf4n48p3Ap0E8SuhA5

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks