General

  • Target

    Scanned_Product_Specifications_&_Order.pdf.exe

  • Size

    783KB

  • Sample

    250123-kjp27sskex

  • MD5

    97c6b2f3cf99db3d64f43c6c5235c09f

  • SHA1

    7ca4007e55170faf7286944317a8f65bb371ee5b

  • SHA256

    0ecddd957a515d3d3ddc583b3f451d56f56273cfc844c13a8cb0b78d10b3c52b

  • SHA512

    7e359b820921152a5db9f3315879e9c930275b96cdf99aa3721348fb8feece8c2fbe66531997e483114daf0a8c1d22a4b306e4e4e5af219b000f151225d9ba06

  • SSDEEP

    12288:dIFtAefmqLUMssPOBeszIxhGNOuWHd9Xh4+iqo9wSf0me5nxtjRjc2Adoq:dULfm49eNAALW9rBix5eTtjW2E

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    kashmirestore.com
  • Port:
    21
  • Username:
    anonymous_log@kashmirestore.com
  • Password:
    c%P+6,(]YFvP

Extracted

Family

vipkeylogger

Targets

    • Target

      Scanned_Product_Specifications_&_Order.pdf.exe

    • Size

      783KB

    • MD5

      97c6b2f3cf99db3d64f43c6c5235c09f

    • SHA1

      7ca4007e55170faf7286944317a8f65bb371ee5b

    • SHA256

      0ecddd957a515d3d3ddc583b3f451d56f56273cfc844c13a8cb0b78d10b3c52b

    • SHA512

      7e359b820921152a5db9f3315879e9c930275b96cdf99aa3721348fb8feece8c2fbe66531997e483114daf0a8c1d22a4b306e4e4e5af219b000f151225d9ba06

    • SSDEEP

      12288:dIFtAefmqLUMssPOBeszIxhGNOuWHd9Xh4+iqo9wSf0me5nxtjRjc2Adoq:dULfm49eNAALW9rBix5eTtjW2E

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.