General

  • Target

    Scan112024.vbs

  • Size

    11KB

  • Sample

    241111-kz15eaxanm

  • MD5

    f5678ceb6c0d259337b4dab43f009e97

  • SHA1

    71bc74501d1b126adb0bed8d7e4c3e182cd5bbbe

  • SHA256

    f4f50825743ac2b448f3254ff8ac01323ff16f9ed2287d0fe7614cf0b7a12348

  • SHA512

    463b6cca15009a574a454637f3d5555c3ebde0117f65c12d0803e9ca3dac0e534b157ef473deaf703b60db396bde0a384b9471f4fccaed33995217353619a739

  • SSDEEP

    192:mXThtJfTvuOg25CfSkYiGh6yR4W8L8tnQ2+mi3F8w/RHXS:8FOGqF/JHXS

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Family

vipkeylogger

Targets

    • Target

      Scan112024.vbs

    • Size

      11KB

    • MD5

      f5678ceb6c0d259337b4dab43f009e97

    • SHA1

      71bc74501d1b126adb0bed8d7e4c3e182cd5bbbe

    • SHA256

      f4f50825743ac2b448f3254ff8ac01323ff16f9ed2287d0fe7614cf0b7a12348

    • SHA512

      463b6cca15009a574a454637f3d5555c3ebde0117f65c12d0803e9ca3dac0e534b157ef473deaf703b60db396bde0a384b9471f4fccaed33995217353619a739

    • SSDEEP

      192:mXThtJfTvuOg25CfSkYiGh6yR4W8L8tnQ2+mi3F8w/RHXS:8FOGqF/JHXS

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks