General

  • Target

    998e109be5cd7e3b3f8f1ee27dd7ce30db60c50f51484b203fad97f82be1840a

  • Size

    688KB

  • Sample

    241203-l2sfqawkep

  • MD5

    80ad9ae5014002eec46312cccfa7ef33

  • SHA1

    2744afb6b13db0a5cff36c60a9f13a9bbf6d2cbe

  • SHA256

    998e109be5cd7e3b3f8f1ee27dd7ce30db60c50f51484b203fad97f82be1840a

  • SHA512

    ef3a6c0068a87f31453bec02ad01ae6ce8c50e34b04b0157c4b76a93106124b62b119ea357d08d3ff5df277ff4509a085c91bb03ab8f71e01310525ade798953

  • SSDEEP

    12288:zxG7xPUElGHzO/p2eylwkg20vGXsHiMs9MpPhFE2Z740Rjm:znRzOR2eyCFBiMs9MbWe40R6

Malware Config

Extracted

Family

vipkeylogger

Targets

    • Target

      PF-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe

    • Size

      782KB

    • MD5

      028368ea164039476410d99a0c255171

    • SHA1

      b0a6c175ad5d3af65ba65909a6f063d0623547de

    • SHA256

      61fd5fdd2ecbc361f332c4e23255a0eb6b2fb6f1d3a45403b5248a41185ffa5f

    • SHA512

      694941ee1fde12dc831bd41b3c7ed6a6273a90cc061db67ad62c6d765732f1cd7d8585e93ca6036a197193af764f557af77128d078bb81d359cf7f895a1f46c7

    • SSDEEP

      24576:LqIeesFjCNxpIt6PS0G7P1AKy45Vf27pjI:WBeu2xpY7P/y43f27pj

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks