General
-
Target
Request for Quotation MK FMHS.RFQ.24.11.07.bat.exe
-
Size
901KB
-
Sample
241111-mvkb7sybnk
-
MD5
39160062bf5c599a2176c44c4bd10b0b
-
SHA1
7906e08060fb52bd72450f179338510282d204dd
-
SHA256
955cb8de75d1143a7094743387ce5f52afecef4a07b22040d1da54050fed13cd
-
SHA512
2eeff46c5aea104042f4ad0bf56ea4d5ffc1ea61c25d5c359fd862f33dd2d09d9949c1becbd78c9383c128d447789ceb8ab9357f623824363c8f43daf356d7b5
-
SSDEEP
24576:1q0q4jNmNd746eRuKhEZkdM6yn8dvj7Nm:1qsmDedZyyj
Static task
static1
Behavioral task
behavioral1
Sample
Request for Quotation MK FMHS.RFQ.24.11.07.bat.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Request for Quotation MK FMHS.RFQ.24.11.07.bat.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.catanhoinvestments.com - Port:
587 - Username:
[email protected] - Password:
RPgi34L1yoc - Email To:
[email protected]
Targets
-
-
Target
Request for Quotation MK FMHS.RFQ.24.11.07.bat.exe
-
Size
901KB
-
MD5
39160062bf5c599a2176c44c4bd10b0b
-
SHA1
7906e08060fb52bd72450f179338510282d204dd
-
SHA256
955cb8de75d1143a7094743387ce5f52afecef4a07b22040d1da54050fed13cd
-
SHA512
2eeff46c5aea104042f4ad0bf56ea4d5ffc1ea61c25d5c359fd862f33dd2d09d9949c1becbd78c9383c128d447789ceb8ab9357f623824363c8f43daf356d7b5
-
SSDEEP
24576:1q0q4jNmNd746eRuKhEZkdM6yn8dvj7Nm:1qsmDedZyyj
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2