General

  • Target

    228e6f4564fe08c94660250de5fc8832ce73b21edad1e81f6969c9a6dedbbfa9.exe

  • Size

    749KB

  • Sample

    241205-vbyz9ayrel

  • MD5

    3c70df024ff5a65f0785b0075939c3fd

  • SHA1

    05d7f92c1a6fec90ba6ab3a9b08944adbfe36832

  • SHA256

    228e6f4564fe08c94660250de5fc8832ce73b21edad1e81f6969c9a6dedbbfa9

  • SHA512

    380b50ef861a900cf97bb3354af8ddec0d0fc61751e96e5c3869a646f1e0be4adcc493b72292230f7a1fcc536d02d0dce9ed2a127795a0612b3d37c271925c4e

  • SSDEEP

    12288:/+Cb+eCSmSuo/HOMmO4ClOJwubAYNnv42S829nSQKYiTH/plXEX53:/Ccuo/HODCl/ubAEnS8Un7KxT7u

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    kashmirestore.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    c%P+6,(]YFvP

Extracted

Family

vipkeylogger

Targets

    • Target

      228e6f4564fe08c94660250de5fc8832ce73b21edad1e81f6969c9a6dedbbfa9.exe

    • Size

      749KB

    • MD5

      3c70df024ff5a65f0785b0075939c3fd

    • SHA1

      05d7f92c1a6fec90ba6ab3a9b08944adbfe36832

    • SHA256

      228e6f4564fe08c94660250de5fc8832ce73b21edad1e81f6969c9a6dedbbfa9

    • SHA512

      380b50ef861a900cf97bb3354af8ddec0d0fc61751e96e5c3869a646f1e0be4adcc493b72292230f7a1fcc536d02d0dce9ed2a127795a0612b3d37c271925c4e

    • SSDEEP

      12288:/+Cb+eCSmSuo/HOMmO4ClOJwubAYNnv42S829nSQKYiTH/plXEX53:/Ccuo/HODCl/ubAEnS8Un7KxT7u

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks