General

  • Target

    Tübitak SAGE RfqF̴D̴P̴..exe

  • Size

    722KB

  • Sample

    241211-s8rakatman

  • MD5

    be1fd279d2d1f89e65b9439dff323714

  • SHA1

    2f36b00216c4db380b58691c3102a0eac7380266

  • SHA256

    6d78a3175d58d2c848e01e902d4554a9d037730f70a7b79d0090a495e01e6e6c

  • SHA512

    240185b2dac186b09953638a8ead891647dce11e27f945eafa3a66b7cce4db68a27ceef5906256e5bedef2a4a8739da29ecf39400a08ac8c46673de730d40159

  • SSDEEP

    12288:F7CNXmgL6FPw2X3g+FVAGv44UHOe9U6rNSk/6sGkXS:F7Ctmgu1LXXnX509XXXC

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      Tübitak SAGE RfqF̴D̴P̴..exe

    • Size

      722KB

    • MD5

      be1fd279d2d1f89e65b9439dff323714

    • SHA1

      2f36b00216c4db380b58691c3102a0eac7380266

    • SHA256

      6d78a3175d58d2c848e01e902d4554a9d037730f70a7b79d0090a495e01e6e6c

    • SHA512

      240185b2dac186b09953638a8ead891647dce11e27f945eafa3a66b7cce4db68a27ceef5906256e5bedef2a4a8739da29ecf39400a08ac8c46673de730d40159

    • SSDEEP

      12288:F7CNXmgL6FPw2X3g+FVAGv44UHOe9U6rNSk/6sGkXS:F7Ctmgu1LXXnX509XXXC

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks