General
-
Target
5cce0ced936e5d9c13d6a4a8a3c149371c92236eb4c465e0e422142946509cea.exe
-
Size
769KB
-
Sample
241121-fwgt5szdjj
-
MD5
7b5985233faf11890e9cf4c7b579983b
-
SHA1
cb2f20ad79ea7d8a1758ac2ae90a1c6d7f47e784
-
SHA256
5cce0ced936e5d9c13d6a4a8a3c149371c92236eb4c465e0e422142946509cea
-
SHA512
bb8dd656ebf8a7c3c1a2abb86d10e0647e6c84f5d090ec8725fca504691f517c8b5776e2305bf041551e3d311ecd5797371a9c2cf77714ee8ac03b477b42cd0b
-
SSDEEP
12288:nrOm+Ri3AgFdiFJ02txMwyv75ykUeobZ+G8uRGYK9dQLtVd+8hbi7E078mDX:SQ3AgQJHtxzPkrob827UQr/QE078mDX
Static task
static1
Behavioral task
behavioral1
Sample
5cce0ced936e5d9c13d6a4a8a3c149371c92236eb4c465e0e422142946509cea.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
5cce0ced936e5d9c13d6a4a8a3c149371c92236eb4c465e0e422142946509cea.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.contfly.pt - Port:
587 - Username:
[email protected] - Password:
Transportes2022* - Email To:
[email protected]
Targets
-
-
Target
5cce0ced936e5d9c13d6a4a8a3c149371c92236eb4c465e0e422142946509cea.exe
-
Size
769KB
-
MD5
7b5985233faf11890e9cf4c7b579983b
-
SHA1
cb2f20ad79ea7d8a1758ac2ae90a1c6d7f47e784
-
SHA256
5cce0ced936e5d9c13d6a4a8a3c149371c92236eb4c465e0e422142946509cea
-
SHA512
bb8dd656ebf8a7c3c1a2abb86d10e0647e6c84f5d090ec8725fca504691f517c8b5776e2305bf041551e3d311ecd5797371a9c2cf77714ee8ac03b477b42cd0b
-
SSDEEP
12288:nrOm+Ri3AgFdiFJ02txMwyv75ykUeobZ+G8uRGYK9dQLtVd+8hbi7E078mDX:SQ3AgQJHtxzPkrob827UQr/QE078mDX
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2