General

  • Target

    aca3d8614954a35938653f8a26effa4f96952d8227222ca57dda6ab7cd607424.zip

  • Size

    322KB

  • Sample

    241120-m2xwwazqaq

  • MD5

    461fb31b43e624c511221d21d9f9d4a0

  • SHA1

    2387ec6be50d1389f882ee5e19534ac757800ac8

  • SHA256

    0ed95d416e4f9d22d078073c8e5f17d2717f30b07414845cd5b578412ea90514

  • SHA512

    ee28c72266aa2f1a034dea27e9ee7dd9645154d95b576c2edb707710cc9b0e0baffa2e03ace638523d90466fa7c355791708ed4ff906b07e22a9a17ba6b55227

  • SSDEEP

    6144:ZnRY7u+c8O/U/0bSXvV7HDheQbpMY0QKDgoT0DQJEjBHE9uIOr:1qw/U/fH1eQbiY0QKkoT0UJEj0Or

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      aca3d8614954a35938653f8a26effa4f96952d8227222ca57dda6ab7cd607424.doc

    • Size

      459KB

    • MD5

      d2d23ccc53607370c926fe786f92c75b

    • SHA1

      8a84a9083d5b1e26fb9d0374efec7b259a3d059b

    • SHA256

      aca3d8614954a35938653f8a26effa4f96952d8227222ca57dda6ab7cd607424

    • SHA512

      2a38f263819d6350fdcc7e12345d68dbb6745eedef50ac261b488f73e534e0cc568c0d7dd909ca1bc438e436a9148aaf0f38f86792d8a92c174faef37e4396ca

    • SSDEEP

      6144:hdlcbR5HastSFXbqUAbqUAbqUvyLE8IIIIIW0ru0rqme6eeCe9vCeXhdYp9tmYL2:zARtUVhpr/rqIXM9mrm9Bt2mhW8G0Yf

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks