General

  • Target

    2e73158c86afa9fa475bf17a90da26173901106fb3977c5f19a33d8e434809f1N

  • Size

    721KB

  • Sample

    241110-qygbhayame

  • MD5

    676e09400b07f151e4e402284e88b8c0

  • SHA1

    f5ac11d146a72e002ff5bdc1627750d6742b1f22

  • SHA256

    2e73158c86afa9fa475bf17a90da26173901106fb3977c5f19a33d8e434809f1

  • SHA512

    6b754b38f27f092068e5847605dead0f0347decf92043dfba6f73a77f786e5040204cb9d7f20197eeed7737ddaf015d93d543861d5d2504a986e5389907570ff

  • SSDEEP

    12288:E1xZ5n0179tQbEeX/zYM28x7JsAzZTgkjb+UQf6KdSM2g7ocst3BlVU7doThdUD2:jt0//P2A7KAx+dT2g7ohRl6poThu5a4e

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      2e73158c86afa9fa475bf17a90da26173901106fb3977c5f19a33d8e434809f1N

    • Size

      721KB

    • MD5

      676e09400b07f151e4e402284e88b8c0

    • SHA1

      f5ac11d146a72e002ff5bdc1627750d6742b1f22

    • SHA256

      2e73158c86afa9fa475bf17a90da26173901106fb3977c5f19a33d8e434809f1

    • SHA512

      6b754b38f27f092068e5847605dead0f0347decf92043dfba6f73a77f786e5040204cb9d7f20197eeed7737ddaf015d93d543861d5d2504a986e5389907570ff

    • SSDEEP

      12288:E1xZ5n0179tQbEeX/zYM28x7JsAzZTgkjb+UQf6KdSM2g7ocst3BlVU7doThdUD2:jt0//P2A7KAx+dT2g7ohRl6poThu5a4e

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks