General
-
Target
14112024_1557_14112024_INQ02010391_14112024.7z
-
Size
23KB
-
Sample
241114-td12yszqg1
-
MD5
83591cf1d8bc47787ba3745d7544abec
-
SHA1
bb3c42c73163d95fabbb000cc4269737e7d42dbe
-
SHA256
48bb30fd0e12538f0e4fd35cfec2417a16902e1ef49f32b26bdd7a51344b324a
-
SHA512
06e3f69b6ee23579f63835b9396cf3b1567265895aa4e6ee4ecdabd6d8825a8e5441d1c137e63596f0c334b53b63ce2e3054d68465e11ddbedd0e5cde0f706ca
-
SSDEEP
384:gzs/fmcoosdEhIDXQuzIfmuqHDhNBvDWeQ3VAPUMC4hN5hyLtiBpSTG3PX0nj8KO:gzsuch5I7QgFuyXBKFyMMrlh6Y+GfEj6
Static task
static1
Behavioral task
behavioral1
Sample
INQ02010391.vbs
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
INQ02010391.vbs
Resource
win10v2004-20241007-en
Malware Config
Extracted
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
Extracted
vipkeylogger
Protocol: smtp- Host:
hosting2.ro.hostsailor.com - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@ - Email To:
[email protected]
Targets
-
-
Target
INQ02010391.vbs
-
Size
137KB
-
MD5
ed54f068782aaff84dce2776a3ffbd73
-
SHA1
48a75d4b075131bf9abcfb3b77e64ace881f1b8e
-
SHA256
64c7c1b70a135415a835bb48c638ca47db929b1df28bb62aaacd9cdcac76553b
-
SHA512
9397d85e1e20b36736b6780fe7af5b3b5309ca2096368f3d99d3de3bbdfe348bb55854aef7a726ba55ac4210e19c2ab00bf82dae82a67354c50476217db90ba6
-
SSDEEP
3072:SXs3fFf2ghaYlNAuaq/XDptbxILKDngt5pPGwm:SXSf4eJA0XDjbKG
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-