Overview

overview

10

Static

static

3

PO#17971 ...73.exe

windows7-x64

10

PO#17971 ...73.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    06012025_0843_06012025_PO#17971 PO#17572 PO#19973.rar

  • Size

    679KB

  • Sample

    250106-kmvrvssjhv

  • MD5

    4274043db0a299269736920569a72fdd

  • SHA1

    c7feed8e7c6d210d83e719f0e949874e7c7e2732

  • SHA256

    7fad411a10cc7995a497d63fc2d8adf5145c159e9e1a47c639c6f6115e16d79b

  • SHA512

    e2baf55ee356d8c504c0c74e2dc7f2cc2a080cfded0a39cc46bc346800c176b10cd98d9edc473d6747aaafdd32a9f113cdd94b5a84c5cedcdd332bae1d376ba5

  • SSDEEP

    12288:TdtWXhqPVZkN8mX5ZcQImB0B/yMFIhJc0gu+0KVDTZdDLgoogXWnITU2oXhIA9iY:TvacsT5Z930B/yikgu+0KVDTrRocMI4T

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    wVCMFq@2wVCMFq@2

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      PO#17971 PO#17572 PO#19973.bat

    • Size

      765KB

    • MD5

      8807c0953c8566b469580b93a0996e1a

    • SHA1

      31991fdb5fe73faee8c9b6a3fcdd8129176326bd

    • SHA256

      992af543eae7fef1f8169335e82b8c04b243632dfe045f65c80ce0d4b191ed46

    • SHA512

      8f201ea4189731b61af2b0372926319d9783a568c4b82c0026f7568e9ee4d4ea861cc95fa20b60858145557a0ec59a9fb9058e3bd037a76eea8a426d7863ad5b

    • SSDEEP

      12288:anW1cUoV+I4MVKWBrnOQ4jhWd35ohjFTfb3wdrOxjKZcdrMfXVkr/Ho+dA3:anWuRgKrX4tWdJe5sOxjTdrTTI

    Score
    10/10
    vipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks