General

  • Target

    Fiyat Teklifi_2038900001-MOKAPTO-06122024.exe

  • Size

    704KB

  • Sample

    241206-klez1svlhr

  • MD5

    7be6615ed9de7651430f25cefb5242aa

  • SHA1

    0f2e10104b0e534f8d1276eb9d0e17b6340a2e55

  • SHA256

    026667c355c49456c0e6b01005387cc667df9dc9328b8fa5b4a8ebfb981e75d2

  • SHA512

    6e61bfb4fc0cfc2ed74560208ad08b5f394058f6332ab7a894b8ebd73f792e3dc3c33499af8fb38e50e838a42f8c65b1a7e272e065224011364e8bcbc0106738

  • SSDEEP

    12288:vPGy+6yqjlE/HjyUPpHOuOcc3t95eqK53L0J9AvJCjCB/1IwCe9azLoUutZAN:lFXl0Hjr7C3t956bMARC+/tCpLoUE

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.hazerbaba.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ao4227187

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      Fiyat Teklifi_2038900001-MOKAPTO-06122024.exe

    • Size

      704KB

    • MD5

      7be6615ed9de7651430f25cefb5242aa

    • SHA1

      0f2e10104b0e534f8d1276eb9d0e17b6340a2e55

    • SHA256

      026667c355c49456c0e6b01005387cc667df9dc9328b8fa5b4a8ebfb981e75d2

    • SHA512

      6e61bfb4fc0cfc2ed74560208ad08b5f394058f6332ab7a894b8ebd73f792e3dc3c33499af8fb38e50e838a42f8c65b1a7e272e065224011364e8bcbc0106738

    • SSDEEP

      12288:vPGy+6yqjlE/HjyUPpHOuOcc3t95eqK53L0J9AvJCjCB/1IwCe9azLoUutZAN:lFXl0Hjr7C3t956bMARC+/tCpLoUE

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks