General

  • Target

    0eff2e486b1c46cbf55bc4284355f1ee.bin

  • Size

    820KB

  • Sample

    241130-bc51eazkdq

  • MD5

    3b63bd7a02bb90069ec98e1bf9b86ef0

  • SHA1

    88d36a997bec1eedb2cb71695a172b76a00c3f7f

  • SHA256

    3a76da48b0725ae553e34eb732850177df0b1c17fc2d7666ef6c08ae5521e3e6

  • SHA512

    73b3a213977ecf2bb0c8f246b80928581e42f0b6dfebe26eec881b636770b4b121aae00c517ebb6cd6c24ada1a62384b5c54b9127d5948eac639443fb843beca

  • SSDEEP

    24576:yA6TJAJo8w9yx8sItO9qOLXaNVibwuXuON9x:JqAJ3+n7+AibweBj

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      b7bbe88d2daceef7fdbd706adbdf6532976f23916701739ee0987f77f36b980a.exe

    • Size

      885KB

    • MD5

      0eff2e486b1c46cbf55bc4284355f1ee

    • SHA1

      f9a921a9ef66c0c1c0fcd6fe02aafc8461f05691

    • SHA256

      b7bbe88d2daceef7fdbd706adbdf6532976f23916701739ee0987f77f36b980a

    • SHA512

      b52122ca5444d606775d7426b7e19bd3090a89c486585c88b33b9fd57a7d87f0e591b7395b538646d93f2d9463d21f281ea5a4a57afb8c12a66d067dc0e3b20b

    • SSDEEP

      24576:t2xjaLCnYnbUX2bWOTk7k86ht45oS93GyIrKa:ADnYi6WMlxtxS93GNrK

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks