General

  • Target

    60fc7c50aff42fbe59f51bcec55bd48ef9e78025d471f26051907572cced5ef5.exe

  • Size

    680KB

  • Sample

    241119-e8ttsszpet

  • MD5

    a6177752dbabead53d95eabac10837e1

  • SHA1

    1af17abfdab7647552e9493b243d741b72983f7b

  • SHA256

    60fc7c50aff42fbe59f51bcec55bd48ef9e78025d471f26051907572cced5ef5

  • SHA512

    3ef7d426914d3a5a8faaeda1e729194fa7821f3898197223c12f1e9488dae0482a307f7c8d858e1bbac5b67cbfc7b21cc6ff861f8d5adfe8b8e1612119c3672c

  • SSDEEP

    12288:s9q/s0yt/bpp0UMK0Hb4R5KUeUCN/m1SmTQbGTbAsGmxHVvVuOaboMj4/W4VJ3NC:Jq/bppwK0sReUC1m1SiQbGTbAfYHyOgv

Malware Config

Extracted

Family

vipkeylogger

Targets

    • Target

      60fc7c50aff42fbe59f51bcec55bd48ef9e78025d471f26051907572cced5ef5.exe

    • Size

      680KB

    • MD5

      a6177752dbabead53d95eabac10837e1

    • SHA1

      1af17abfdab7647552e9493b243d741b72983f7b

    • SHA256

      60fc7c50aff42fbe59f51bcec55bd48ef9e78025d471f26051907572cced5ef5

    • SHA512

      3ef7d426914d3a5a8faaeda1e729194fa7821f3898197223c12f1e9488dae0482a307f7c8d858e1bbac5b67cbfc7b21cc6ff861f8d5adfe8b8e1612119c3672c

    • SSDEEP

      12288:s9q/s0yt/bpp0UMK0Hb4R5KUeUCN/m1SmTQbGTbAsGmxHVvVuOaboMj4/W4VJ3NC:Jq/bppwK0sReUC1m1SiQbGTbAfYHyOgv

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks