Overview

overview

10

Static

static

1

MT103-8819...CS.vbs

windows7-x64

10

MT103-8819...CS.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    MT103-8819006.DOCS.vbs

  • Size

    13KB

  • Sample

    241126-jwkgtaymdq

  • MD5

    a2dc941889770cb179129bf7cb89bdff

  • SHA1

    08a0a77a3754e6bee435810785802e0d054ce46b

  • SHA256

    9b8e6b4547ae0f5a3e4af5a94282ccd5bcbb464dabe75ec564315cd768d25806

  • SHA512

    e5495fe46ac92d0e92913c750224435e013e62def24f32781802964b66ee343d5bb8724f337c478eabc428a59e42a955b5f1f879463b0d8bc45803720b062006

  • SSDEEP

    192:REpO+HDu/0/Jutko/4jos+9/uHLGHRkfkX:REs+AftkW8p+9/urGHRk8X

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c

exe.dropper

https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c

Extracted

Family

vipkeylogger

Targets

    • Target

      MT103-8819006.DOCS.vbs

    • Size

      13KB

    • MD5

      a2dc941889770cb179129bf7cb89bdff

    • SHA1

      08a0a77a3754e6bee435810785802e0d054ce46b

    • SHA256

      9b8e6b4547ae0f5a3e4af5a94282ccd5bcbb464dabe75ec564315cd768d25806

    • SHA512

      e5495fe46ac92d0e92913c750224435e013e62def24f32781802964b66ee343d5bb8724f337c478eabc428a59e42a955b5f1f879463b0d8bc45803720b062006

    • SSDEEP

      192:REpO+HDu/0/Jutko/4jos+9/uHLGHRkfkX:REs+AftkW8p+9/urGHRk8X

    Score
    10/10
    executionvipkeyloggercollectiondiscoverykeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks