General

  • Target

    14112024_1557_14112024_INQ02010391_14112024.7z

  • Size

    23KB

  • Sample

    241114-td12yszqg1

  • MD5

    83591cf1d8bc47787ba3745d7544abec

  • SHA1

    bb3c42c73163d95fabbb000cc4269737e7d42dbe

  • SHA256

    48bb30fd0e12538f0e4fd35cfec2417a16902e1ef49f32b26bdd7a51344b324a

  • SHA512

    06e3f69b6ee23579f63835b9396cf3b1567265895aa4e6ee4ecdabd6d8825a8e5441d1c137e63596f0c334b53b63ce2e3054d68465e11ddbedd0e5cde0f706ca

  • SSDEEP

    384:gzs/fmcoosdEhIDXQuzIfmuqHDhNBvDWeQ3VAPUMC4hN5hyLtiBpSTG3PX0nj8KO:gzsuch5I7QgFuyXBKFyMMrlh6Y+GfEj6

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      INQ02010391.vbs

    • Size

      137KB

    • MD5

      ed54f068782aaff84dce2776a3ffbd73

    • SHA1

      48a75d4b075131bf9abcfb3b77e64ace881f1b8e

    • SHA256

      64c7c1b70a135415a835bb48c638ca47db929b1df28bb62aaacd9cdcac76553b

    • SHA512

      9397d85e1e20b36736b6780fe7af5b3b5309ca2096368f3d99d3de3bbdfe348bb55854aef7a726ba55ac4210e19c2ab00bf82dae82a67354c50476217db90ba6

    • SSDEEP

      3072:SXs3fFf2ghaYlNAuaq/XDptbxILKDngt5pPGwm:SXSf4eJA0XDjbKG

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks