General

  • Target

    Hesap_Hareketleri_09122024_html.exe

  • Size

    978KB

  • Sample

    241210-sjnhdatlhl

  • MD5

    a1d6c4ee5e1bf8e8e8e335e25e3cb4ef

  • SHA1

    d55f64167243a1211ad7b3f51174c70f2d3d1c3d

  • SHA256

    0b0e33a49e209932b6fa85be230050e28ed46e35129a3b4b0b6f782ac4849f21

  • SHA512

    be8182bf4b9bef516dc113b05b2c3d0f834c1d8bb40f266da9948e23339ea94a2c63484f335da46410d5e6e291f997a2e9e2dfc32da73cd51db0fb053fea44c8

  • SSDEEP

    12288:Kfe0GVO35OOvzI/wDadTZoieenOIbgIC+Ukq09xZmFP85h7ScC3:Kff3c4uWadT+i3/bTUkqc8P8zSc

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      Hesap_Hareketleri_09122024_html.exe

    • Size

      978KB

    • MD5

      a1d6c4ee5e1bf8e8e8e335e25e3cb4ef

    • SHA1

      d55f64167243a1211ad7b3f51174c70f2d3d1c3d

    • SHA256

      0b0e33a49e209932b6fa85be230050e28ed46e35129a3b4b0b6f782ac4849f21

    • SHA512

      be8182bf4b9bef516dc113b05b2c3d0f834c1d8bb40f266da9948e23339ea94a2c63484f335da46410d5e6e291f997a2e9e2dfc32da73cd51db0fb053fea44c8

    • SSDEEP

      12288:Kfe0GVO35OOvzI/wDadTZoieenOIbgIC+Ukq09xZmFP85h7ScC3:Kff3c4uWadT+i3/bTUkqc8P8zSc

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks