General
-
Target
INQ02010391.vbs
-
Size
137KB
-
Sample
241114-xgjhvsvqam
-
MD5
ed54f068782aaff84dce2776a3ffbd73
-
SHA1
48a75d4b075131bf9abcfb3b77e64ace881f1b8e
-
SHA256
64c7c1b70a135415a835bb48c638ca47db929b1df28bb62aaacd9cdcac76553b
-
SHA512
9397d85e1e20b36736b6780fe7af5b3b5309ca2096368f3d99d3de3bbdfe348bb55854aef7a726ba55ac4210e19c2ab00bf82dae82a67354c50476217db90ba6
-
SSDEEP
3072:SXs3fFf2ghaYlNAuaq/XDptbxILKDngt5pPGwm:SXSf4eJA0XDjbKG
Malware Config
Extracted
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
Extracted
vipkeylogger
Protocol: smtp- Host:
hosting2.ro.hostsailor.com - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@ - Email To:
[email protected]
Targets
-
-
Target
INQ02010391.vbs
-
Size
137KB
-
MD5
ed54f068782aaff84dce2776a3ffbd73
-
SHA1
48a75d4b075131bf9abcfb3b77e64ace881f1b8e
-
SHA256
64c7c1b70a135415a835bb48c638ca47db929b1df28bb62aaacd9cdcac76553b
-
SHA512
9397d85e1e20b36736b6780fe7af5b3b5309ca2096368f3d99d3de3bbdfe348bb55854aef7a726ba55ac4210e19c2ab00bf82dae82a67354c50476217db90ba6
-
SSDEEP
3072:SXs3fFf2ghaYlNAuaq/XDptbxILKDngt5pPGwm:SXSf4eJA0XDjbKG
Score10/10-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-