vipkeylogger | 4af93b0cafc33eced2cedac175f663a1f890a549ba64884c29f3563cd66a61fa | Triage

Sharing

General

Target

15012025_1338_TT.2.bat.zip
Size

390KB
Sample

250115-qxhg6swjbl
MD5

9283ec2b3dcd0280fb27fdd3df3795ef
SHA1

34224d6187b95ee590f9a5f565910a2ea4b5b667
SHA256

4af93b0cafc33eced2cedac175f663a1f890a549ba64884c29f3563cd66a61fa
SHA512

ba08be5e4332d101ba9a77a064b9066d882cce8b263c4620fd1e52a5d56106d253cfb3f04c08342226f03687b9c26500d3670fee4e20de10399cd874026768d1
SSDEEP

12288:nTkokC58pIU4n+dlos1bRKb2ZHEK2xximHuWK:nVDnU4n+vo0CWHbmHuJ

Score

10^/10

vipkeylogger collection discovery execution keylogger spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.vvtrade.vn
Port:
587
Username:
[email protected]
Password:
qVyP6qyv6MQCmZJBRs4t

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendMessage?chat_id=6443825857

Targets

- Target
  
  TT.2.bat
- Size
  
  654KB
- MD5
  
  510fd19d92d3b0b7bf15c25136f4f4a8
- SHA1
  
  d72a9835b6cde04c97a6f36f0f440086a950725b
- SHA256
  
  29bf23ea98222665327d48b87f3203f0158fb63e04deba0a803044b19faa69ce
- SHA512
  
  2009ba6f36e2c1b06acb4786045147c0e526d3cac3b4e410121c5b27977644a6d6d8b7a725b7dd91b216fa868891d258011c5e5c6fcc54c0a94b941f07bab7d3
- SSDEEP
  
  12288:JbRKjP7ne32KZc0IhELRVH6JRvKX2ZFEKy2THq2v:TKjP7efiIRkJIWFpdv
Score

10^/10

discovery execution vipkeylogger collection keylogger spyware stealer
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Drops startup file
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

vipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer