vipkeylogger | 5a8467ab773f458f57d5942d6fe612c5048c50b19e7d63c82ff1eac99a324e2b | Triage

Sharing

General

Target

5a8467ab773f458f57d5942d6fe612c5048c50b19e7d63c82ff1eac99a324e2b
Size

857KB
Sample

241117-dldcvszdpp
MD5

d29c5fb95585ed107d8473d204d520ae
SHA1

4a008ac6426aa63e7fbb7ce25810342efaeb6607
SHA256

5a8467ab773f458f57d5942d6fe612c5048c50b19e7d63c82ff1eac99a324e2b
SHA512

e8091d7c0bffeafe9642e55db9520475db1c3a6a6355a8e10f20971af036cdd94e9c1067b75bccc4ccd542b361839fa27bf743e103ba3c08495fbebc4ca149cc
SSDEEP

12288:i1je1F7Y7dLYe5/OMM8kWXoCfKMbe7Tp4LB3GGlpFDVxhMFWYwZf:i1K1FidR/OMZ3dbspaB3GGlppndZ

Score

10^/10

vipkeylogger collection discovery execution keylogger stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.tlakovec.si
Port:
587
Username:
[email protected]
Password:
@nartsantelps

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.tlakovec.si
Port:
587
Username:
[email protected]
Password:
@nartsantelps
Email To:
[email protected]

Targets

- Target
  
  5a8467ab773f458f57d5942d6fe612c5048c50b19e7d63c82ff1eac99a324e2b
- Size
  
  857KB
- MD5
  
  d29c5fb95585ed107d8473d204d520ae
- SHA1
  
  4a008ac6426aa63e7fbb7ce25810342efaeb6607
- SHA256
  
  5a8467ab773f458f57d5942d6fe612c5048c50b19e7d63c82ff1eac99a324e2b
- SHA512
  
  e8091d7c0bffeafe9642e55db9520475db1c3a6a6355a8e10f20971af036cdd94e9c1067b75bccc4ccd542b361839fa27bf743e103ba3c08495fbebc4ca149cc
- SSDEEP
  
  12288:i1je1F7Y7dLYe5/OMM8kWXoCfKMbe7Tp4LB3GGlpFDVxhMFWYwZf:i1K1FidR/OMZ3dbspaB3GGlppndZ
Score

10^/10

vipkeylogger collection discovery execution keylogger stealer
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

behavioral2

vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer