Extracted

• • Target

    RFQ_TBD#00417566.exe

  • Size

    821KB

  • MD5

    429c7a3322bd34eafacec92baba5ec09

  • SHA1

    61bbaec2ed91d5885cb2ee21e23b781ac91824d9

  • SHA256

    071d0a5405c4bc0d3319aa4756ad6afb703c8462d1a6d616765eeae22dcdbd30

  • SHA512

    8181ee44d934d6303f4ad2414741d4b422cdc2b038332ed13330bc6c8b3eb75d57dd1905a976a24ba40a78a2634c11539338db141ada5e4e810c2bef464c4d33

  • SSDEEP

    12288:qKY00jgMZ9+x/KDUBfssWfQoIGEcFC/oqE1TqIKqmuUN93ANpe0:qKdjMZ9+x/pBEDfycFC/A1tZmV3el

  Score

  10^/10

  discoveryexecutionvipkeyloggercollectionkeyloggerspywarestealer

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger

  • Vipkeylogger family

    vipkeylogger

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2