General
-
Target
bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149
-
Size
845KB
-
Sample
241211-xyf43avnew
-
MD5
a4ff2584dad5f40a71bdd4a108528492
-
SHA1
ad9413cebc5c0fc3ab344c00cb361fef9b0a0efe
-
SHA256
bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149
-
SHA512
b195494368e80e4d12c9cafced3f13bff87a828ce45cf97e7dbb2bcbe72512d8bdef536947dc43bcc3a8050b71149c9daf7557126cb7e667fdc3c9240c02b4d1
-
SSDEEP
24576:0HMGoI+smdM8YM72MiEi7XKE9TnFwFOh:0MG1hMKHEibNnqO
Static task
static1
Behavioral task
behavioral1
Sample
bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.adendanismanlik.com.tr - Port:
587 - Username:
[email protected] - Password:
Omer1402&
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.adendanismanlik.com.tr - Port:
587 - Username:
[email protected] - Password:
Omer1402& - Email To:
[email protected]
Targets
-
-
Target
bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149
-
Size
845KB
-
MD5
a4ff2584dad5f40a71bdd4a108528492
-
SHA1
ad9413cebc5c0fc3ab344c00cb361fef9b0a0efe
-
SHA256
bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149
-
SHA512
b195494368e80e4d12c9cafced3f13bff87a828ce45cf97e7dbb2bcbe72512d8bdef536947dc43bcc3a8050b71149c9daf7557126cb7e667fdc3c9240c02b4d1
-
SSDEEP
24576:0HMGoI+smdM8YM72MiEi7XKE9TnFwFOh:0MG1hMKHEibNnqO
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2