General

  • Target

    DECEMBER PAYMENT.rar

  • Size

    492KB

  • Sample

    241209-sk786s1rcy

  • MD5

    f351499172f5b333b4e4a2c266b29eea

  • SHA1

    da8b8b4aa66e42110946a947ca1bce0329a43c7b

  • SHA256

    6effcde29dbe8304a62aebe8bd88db01c18de6aa946523a48c4bce5aa6d5ec3d

  • SHA512

    aa4c6314de8b8330b962ce5b2fca07faa7d2e93d075a5700c6349b5863e222b893ea93177e6ba8a6ed2a9bcf2cf6f169b964eb949b9e63d2180e3dd37e9bc33e

  • SSDEEP

    12288:tv4kIuQ0QOmJpm9oxQuNrgrb1Mo4lXREH++p:tA0QXryrbyod

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.irco.com.sa
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    info12A

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      PO.exe

    • Size

      976KB

    • MD5

      123b5ecd85676f192dfe4a0d6d3b9419

    • SHA1

      5a96e18cde4f369646c421c58dd7ce92c307862d

    • SHA256

      520e219c0f4f6198428644141cbbb479607aa8aafc613c1d7abdaca2b8254359

    • SHA512

      1f12089b4fb87b0bb0d92c2a7562616269c8fcb6c409f5de74bba4c5f06dc29d24cdcd32120bce7c3cb8978afa8f7ab2cb121e4900c6275b4abf8d27f3884987

    • SSDEEP

      24576:yu6J33O0c+JY5UZ+XC0kGso6Fa6J35NOWY:0u0c++OCvkGs9Fa67Y

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks