General
-
Target
2e73158c86afa9fa475bf17a90da26173901106fb3977c5f19a33d8e434809f1N
-
Size
721KB
-
Sample
241110-qygbhayame
-
MD5
676e09400b07f151e4e402284e88b8c0
-
SHA1
f5ac11d146a72e002ff5bdc1627750d6742b1f22
-
SHA256
2e73158c86afa9fa475bf17a90da26173901106fb3977c5f19a33d8e434809f1
-
SHA512
6b754b38f27f092068e5847605dead0f0347decf92043dfba6f73a77f786e5040204cb9d7f20197eeed7737ddaf015d93d543861d5d2504a986e5389907570ff
-
SSDEEP
12288:E1xZ5n0179tQbEeX/zYM28x7JsAzZTgkjb+UQf6KdSM2g7ocst3BlVU7doThdUD2:jt0//P2A7KAx+dT2g7ohRl6poThu5a4e
Static task
static1
Behavioral task
behavioral1
Sample
2e73158c86afa9fa475bf17a90da26173901106fb3977c5f19a33d8e434809f1N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2e73158c86afa9fa475bf17a90da26173901106fb3977c5f19a33d8e434809f1N.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.recsb.com - Port:
587 - Username:
[email protected] - Password:
1=vI*r6^ - Email To:
[email protected]
Targets
-
-
Target
2e73158c86afa9fa475bf17a90da26173901106fb3977c5f19a33d8e434809f1N
-
Size
721KB
-
MD5
676e09400b07f151e4e402284e88b8c0
-
SHA1
f5ac11d146a72e002ff5bdc1627750d6742b1f22
-
SHA256
2e73158c86afa9fa475bf17a90da26173901106fb3977c5f19a33d8e434809f1
-
SHA512
6b754b38f27f092068e5847605dead0f0347decf92043dfba6f73a77f786e5040204cb9d7f20197eeed7737ddaf015d93d543861d5d2504a986e5389907570ff
-
SSDEEP
12288:E1xZ5n0179tQbEeX/zYM28x7JsAzZTgkjb+UQf6KdSM2g7ocst3BlVU7doThdUD2:jt0//P2A7KAx+dT2g7ohRl6poThu5a4e
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2