General

  • Target

    NEW90FL0OtSHAz.bat.exe

  • Size

    714KB

  • Sample

    241203-qey27sslcj

  • MD5

    884a8f2e4c08dc7ae2365112da323629

  • SHA1

    715ca2cd2b469a7db50c1405dbb311cdb2a04b33

  • SHA256

    42f45b8d26258e4b40387bda1c948fc89e3754d735ed0b69a5baaf02678ab496

  • SHA512

    8b624003c7f320e5be6a7d672d9919258ac2014a03b3e467a10265a2d661f833ff96f94ac296dd9b248e836b7a105012f3eb453e87e27a0f2828d23973673c24

  • SSDEEP

    12288:cUyIR4R52J+XtmucV6XShTHbkRV5G6tEIYqAaFbXsq2x9HNQQOLAWfbFQCBIR:cUyIeeRP7hT7kRVsKEIYkFbXsq+FNQQ/

Malware Config

Extracted

Family

vipkeylogger

Targets

    • Target

      NEW90FL0OtSHAz.bat.exe

    • Size

      714KB

    • MD5

      884a8f2e4c08dc7ae2365112da323629

    • SHA1

      715ca2cd2b469a7db50c1405dbb311cdb2a04b33

    • SHA256

      42f45b8d26258e4b40387bda1c948fc89e3754d735ed0b69a5baaf02678ab496

    • SHA512

      8b624003c7f320e5be6a7d672d9919258ac2014a03b3e467a10265a2d661f833ff96f94ac296dd9b248e836b7a105012f3eb453e87e27a0f2828d23973673c24

    • SSDEEP

      12288:cUyIR4R52J+XtmucV6XShTHbkRV5G6tEIYqAaFbXsq2x9HNQQOLAWfbFQCBIR:cUyIeeRP7hT7kRVsKEIYkFbXsq+FNQQ/

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks