General

  • Target

    6a1c2df0bd6aacd1b69d3ab82b88b71f5552beaec7c452c36af1a3fed04c5bf2

  • Size

    861KB

  • Sample

    241115-yes5ys1aqm

  • MD5

    5bb7732a7e51e72677937a5c66e73794

  • SHA1

    8dbe997d772b107c6cfd1e1abd9f64128d65b2f7

  • SHA256

    6a1c2df0bd6aacd1b69d3ab82b88b71f5552beaec7c452c36af1a3fed04c5bf2

  • SHA512

    bb9eb8a6f9fb0416c2f632d3fd773bc57b8f10df87e1b570afa67b77f5b8e63794186394f307e9365c2df24efbcfa31c033c35f56dc075f18779c7c8787b48e4

  • SSDEEP

    24576:d1k1FidMNmlUabitlah20TmL5PGe3lQOno+QHPx5/OMZ:d1k1FiUmlUaygh2O6PGe1/zQv

Malware Config

Extracted

Family

vipkeylogger

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.lisotel.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Lisotel.2022_!

Targets

    • Target

      6a1c2df0bd6aacd1b69d3ab82b88b71f5552beaec7c452c36af1a3fed04c5bf2

    • Size

      861KB

    • MD5

      5bb7732a7e51e72677937a5c66e73794

    • SHA1

      8dbe997d772b107c6cfd1e1abd9f64128d65b2f7

    • SHA256

      6a1c2df0bd6aacd1b69d3ab82b88b71f5552beaec7c452c36af1a3fed04c5bf2

    • SHA512

      bb9eb8a6f9fb0416c2f632d3fd773bc57b8f10df87e1b570afa67b77f5b8e63794186394f307e9365c2df24efbcfa31c033c35f56dc075f18779c7c8787b48e4

    • SSDEEP

      24576:d1k1FidMNmlUabitlah20TmL5PGe3lQOno+QHPx5/OMZ:d1k1FiUmlUaygh2O6PGe1/zQv

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks