General

  • Target

    462a9165371be9c5f86b76adbc068d37.bin

  • Size

    809KB

  • Sample

    241110-blppsayqbk

  • MD5

    db5446562b7f81634a27dd960eddf1f1

  • SHA1

    0be76ed4a14f05cd8103298e618ec88f87cfbc45

  • SHA256

    3e0634dbe5ed3bc80d75db490522aaeda8abd2c0e6471ffe805808d2ef0ff755

  • SHA512

    c4033562832b3d829e623349c723d539a29f61a57d5dbdd8310d435b7d3f87491446aad455fbe1d09d0d659c8e3cc0954f3f99314136f6040000c9ad0c5af1bb

  • SSDEEP

    12288:vLytaYJi1/lPuO3wdboMZXZN7ksz0cP7WFcXnv61EkC+0uDUEhGL4:vWtJUdPuO3wJoMZXZNGeXnv6ZUPc

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79.exe

    • Size

      981KB

    • MD5

      462a9165371be9c5f86b76adbc068d37

    • SHA1

      ff92bce9d712585aea9d85be80c3142a23353613

    • SHA256

      20b22e21664030bcbea413d2c054f99f62956cf9feedc6148fe34870ce124f79

    • SHA512

      c4008ca783ff00c5416167731944c5b5dcdeb7eefd114b6c2ad450b60e49a01cda62eab377c5e7cf084382c5b7738c7756a3a4875c7de732ff2d8a91bc62a601

    • SSDEEP

      12288:NiweayfGZVFFaAmpa/JQYemIy0R5C83ju8IhEZEusORzu+2p4EeP1R6FUkR:YweaMGj+Vzy0PC837IYHsU1Ma6FT

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks