General
-
Target
8a309b62d7319624bb969198a1e892b8b943a215ac32cda6f2ae48122b23d910.doc
-
Size
899KB
-
Sample
241114-daefsatdmm
-
MD5
316751bdb6439a13df5d7153e0348d5a
-
SHA1
4ce31487ca398ee16e3a500be9599724b669af0f
-
SHA256
8a309b62d7319624bb969198a1e892b8b943a215ac32cda6f2ae48122b23d910
-
SHA512
926d77a89ef593e55eb02413005a6c6932ea23e9ddd3d769b9a28cec86c29d8ae7109b55814df532417d3baabdb2408805c8b0b178f4a83e036f66880f06e825
-
SSDEEP
6144:swAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAykns:p0
Static task
static1
Behavioral task
behavioral1
Sample
8a309b62d7319624bb969198a1e892b8b943a215ac32cda6f2ae48122b23d910.rtf
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8a309b62d7319624bb969198a1e892b8b943a215ac32cda6f2ae48122b23d910.rtf
Resource
win10v2004-20241007-en
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.jhxkgroup.online - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@ - Email To:
[email protected]
Targets
-
-
Target
8a309b62d7319624bb969198a1e892b8b943a215ac32cda6f2ae48122b23d910.doc
-
Size
899KB
-
MD5
316751bdb6439a13df5d7153e0348d5a
-
SHA1
4ce31487ca398ee16e3a500be9599724b669af0f
-
SHA256
8a309b62d7319624bb969198a1e892b8b943a215ac32cda6f2ae48122b23d910
-
SHA512
926d77a89ef593e55eb02413005a6c6932ea23e9ddd3d769b9a28cec86c29d8ae7109b55814df532417d3baabdb2408805c8b0b178f4a83e036f66880f06e825
-
SSDEEP
6144:swAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAykns:p0
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2