General

  • Target

    1ecf2326311e2c2e98ec0548958da41dafcc961c9ec07088c0c646445f51a30a

  • Size

    1.2MB

  • Sample

    241130-zfpdtsyndj

  • MD5

    274886fceb562b62f7c9047ea003e7cb

  • SHA1

    4e08243ed9caf495ad6337029aad1ed207fe6a52

  • SHA256

    1ecf2326311e2c2e98ec0548958da41dafcc961c9ec07088c0c646445f51a30a

  • SHA512

    01544cf243f46ce27c59fc3ecb91df7941142d87260fae0c4c68191f6c1712e3f055040098bae7969200ea810daf03633937e6b9d194add7be0c46a14e3df2a6

  • SSDEEP

    24576:ffmMv6Ckr7Mny5QLjGFLhUQkAO6AS2GEuY5++o+:f3v+7/5QLcOYO6eLrk+

Malware Config

Extracted

Family

vipkeylogger

Credentials
C2

https://api.telegram.org/bot7323823089:AAFBRsTW94zIpSoDS8yfGsotlQLqF2I6TU0/sendMessage?chat_id=5013849544

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.vvtrade.vn
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    qVyP6qyv6MQCmZJBRs4t

Targets

    • Target

      1ecf2326311e2c2e98ec0548958da41dafcc961c9ec07088c0c646445f51a30a

    • Size

      1.2MB

    • MD5

      274886fceb562b62f7c9047ea003e7cb

    • SHA1

      4e08243ed9caf495ad6337029aad1ed207fe6a52

    • SHA256

      1ecf2326311e2c2e98ec0548958da41dafcc961c9ec07088c0c646445f51a30a

    • SHA512

      01544cf243f46ce27c59fc3ecb91df7941142d87260fae0c4c68191f6c1712e3f055040098bae7969200ea810daf03633937e6b9d194add7be0c46a14e3df2a6

    • SSDEEP

      24576:ffmMv6Ckr7Mny5QLjGFLhUQkAO6AS2GEuY5++o+:f3v+7/5QLcOYO6eLrk+

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks