General

  • Target

    Hesap_Hareketleri_10122024_html.exe

  • Size

    846KB

  • Sample

    241210-qb3k8awlfv

  • MD5

    18709f2606d2834d725a5677bdd4d737

  • SHA1

    bbc16514aea1e283ba1863a5db34c71b0f574fc8

  • SHA256

    50087b010b52ec07a7f52a85b56dc43041aae17b428e6b0af3d52d797d427682

  • SHA512

    758d818dd3d252010e612ded4bf4846f053b1ad9c06d5139c7d65c35a9956ee7655c567c9efcfdb24122fe1dd55a324bf30277152da85e56be2f2e656e853b9e

  • SSDEEP

    12288:nFMFoFvNLrJG2FYswEHLwSdNY8O7jbXdhb0mqqbNtYKy0QZURoSGb5hfBMG+wy9n:vFnJNY8KDzqCXW0g2edhf5+wFO

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      Hesap_Hareketleri_10122024_html.exe

    • Size

      846KB

    • MD5

      18709f2606d2834d725a5677bdd4d737

    • SHA1

      bbc16514aea1e283ba1863a5db34c71b0f574fc8

    • SHA256

      50087b010b52ec07a7f52a85b56dc43041aae17b428e6b0af3d52d797d427682

    • SHA512

      758d818dd3d252010e612ded4bf4846f053b1ad9c06d5139c7d65c35a9956ee7655c567c9efcfdb24122fe1dd55a324bf30277152da85e56be2f2e656e853b9e

    • SSDEEP

      12288:nFMFoFvNLrJG2FYswEHLwSdNY8O7jbXdhb0mqqbNtYKy0QZURoSGb5hfBMG+wy9n:vFnJNY8KDzqCXW0g2edhf5+wFO

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks