General

  • Target

    Inquiry HA-22-28199 22-077.vbs

  • Size

    12KB

  • Sample

    241110-g4wtps1epr

  • MD5

    605abed3e1d7266ea35c8517b5961010

  • SHA1

    4c35a1a9e7385b8216812f3c6ff73b23b1710d18

  • SHA256

    394ce0420dc3786db150a630ceb90bac466bf4a3c3f1f792441fed6fb0b6dc34

  • SHA512

    15ff74ef09974c51a36cd4197c45c3391dd76317c2d278a34c9df5adf3cbee41f6fc9cf25450d73f3e6f4e63f00c0e65d874f6b572421bf49611544d11467bbc

  • SSDEEP

    192:bWyKzktunJRUyKzktJDlvgia0GONzU09iT0yFnVk03u3A/WeFW9tWHaFi:Cy44unfUy44dPlzNiKeFsin

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Family

vipkeylogger

Targets

    • Target

      Inquiry HA-22-28199 22-077.vbs

    • Size

      12KB

    • MD5

      605abed3e1d7266ea35c8517b5961010

    • SHA1

      4c35a1a9e7385b8216812f3c6ff73b23b1710d18

    • SHA256

      394ce0420dc3786db150a630ceb90bac466bf4a3c3f1f792441fed6fb0b6dc34

    • SHA512

      15ff74ef09974c51a36cd4197c45c3391dd76317c2d278a34c9df5adf3cbee41f6fc9cf25450d73f3e6f4e63f00c0e65d874f6b572421bf49611544d11467bbc

    • SSDEEP

      192:bWyKzktunJRUyKzktJDlvgia0GONzU09iT0yFnVk03u3A/WeFW9tWHaFi:Cy44unfUy44dPlzNiKeFsin

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks