General

  • Target

    4b38ed91279087b64a22c3295dca641c.bin

  • Size

    821KB

  • Sample

    241130-bll9navqd1

  • MD5

    d685f97b5d753d747ec6cf887946e18c

  • SHA1

    34cbd9093f094b21839d0142e1f7567318942b1f

  • SHA256

    28f1dbc23e2a990bc78165e7557b6702d1636fddde3c39e086b886057061ac37

  • SHA512

    58456d3f8e9517955ac9d10c7f6ae4d86630f800dc4910b5bd6c54067120a48afd9402d4ff98b5bcfc3c7e75c05783b5bb98c71e50971e2ab5ab5f87eb040a9d

  • SSDEEP

    12288:0hJkX7M8Y6RSKTzvqXJu/HMLkZPlUMaKZt02E6bCYEq4qflH5IVWjqynHZ:7XLPHFkLkx9Zt0H6bCYPtHGWGyn5

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      INQUIRY_pdf.exe

    • Size

      885KB

    • MD5

      0eff2e486b1c46cbf55bc4284355f1ee

    • SHA1

      f9a921a9ef66c0c1c0fcd6fe02aafc8461f05691

    • SHA256

      b7bbe88d2daceef7fdbd706adbdf6532976f23916701739ee0987f77f36b980a

    • SHA512

      b52122ca5444d606775d7426b7e19bd3090a89c486585c88b33b9fd57a7d87f0e591b7395b538646d93f2d9463d21f281ea5a4a57afb8c12a66d067dc0e3b20b

    • SSDEEP

      24576:t2xjaLCnYnbUX2bWOTk7k86ht45oS93GyIrKa:ADnYi6WMlxtxS93GNrK

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks