Overview

overview

10

Static

static

1

Payment Copy.docx

windows7-x64

10

Payment Copy.docx

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Payment Copy.docx

  • Size

    459KB

  • Sample

    241113-hn5bkszqel

  • MD5

    461b9e11fc472678391ea0896131e3fd

  • SHA1

    1d5d856bd620c7ed772701f848ae53124d2bfbdd

  • SHA256

    e2eec3fead32a394e15dc805efb549f453b3020cde2e37f6d36020b0297d0d4d

  • SHA512

    6bb127c496c6e01c1b86fc4a88cd26ca4f173be414494d58dbca921de660f9f6b3368d86c7fb224e22865908377060df574573c91944d1c526040437e13cec00

  • SSDEEP

    6144:A6lcbR5HastSFXbqUAbqUAbqUvyLE8IIIIIW0ru0rqme6eeCe9vCeXhdA99tmYL/:ZARtUVhpr/rqIXQ9mrm9Bt2mhW8G0Y4

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      Payment Copy.docx

    • Size

      459KB

    • MD5

      461b9e11fc472678391ea0896131e3fd

    • SHA1

      1d5d856bd620c7ed772701f848ae53124d2bfbdd

    • SHA256

      e2eec3fead32a394e15dc805efb549f453b3020cde2e37f6d36020b0297d0d4d

    • SHA512

      6bb127c496c6e01c1b86fc4a88cd26ca4f173be414494d58dbca921de660f9f6b3368d86c7fb224e22865908377060df574573c91944d1c526040437e13cec00

    • SSDEEP

      6144:A6lcbR5HastSFXbqUAbqUAbqUvyLE8IIIIIW0ru0rqme6eeCe9vCeXhdA99tmYL/:ZARtUVhpr/rqIXQ9mrm9Bt2mhW8G0Y4

    Score
    10/10
    vipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks