General

  • Target

    GPL - INQUIRY-HQ242654pdf.exe

  • Size

    1.0MB

  • Sample

    250129-kdkwassmby

  • MD5

    45772fa253be179b1bcb1d57d2182d0a

  • SHA1

    d6961c7f2710cdd896d622fa8500d68f64468b2a

  • SHA256

    6cdcf78d540c146fb0319b5539d1bf930c2e59c42ea8953066c648a0b65ae460

  • SHA512

    507d8c9700bada981e734c078a94ccd253fbf547ef2885fe7fd6a748b9638bd7031b3a88ca3877a85da9422ab705bb7770e4f76f9b5ba01db307be3016231ccb

  • SSDEEP

    24576:9zP8/+udgfs+jNSLSeeT/l3bwOXd4GC9:6q0SNo6/lrwON4GC

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.vvtrade.vn
  • Port:
    587
  • Username:
    sales-nguyen@vvtrade.vn
  • Password:
    qVyP6qyv6MQCmZJBRs4t

Extracted

Family

vipkeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.vvtrade.vn
  • Port:
    587
  • Username:
    sales-nguyen@vvtrade.vn
  • Password:
    qVyP6qyv6MQCmZJBRs4t
  • Email To:
    saleseuropower@yandex.com
C2

https://api.telegram.org/bot7323823089:AAFBRsTW94zIpSoDS8yfGsotlQLqF2I6TU0/sendMessage?chat_id=5013849544

Targets

    • Target

      GPL - INQUIRY-HQ242654pdf.exe

    • Size

      1.0MB

    • MD5

      45772fa253be179b1bcb1d57d2182d0a

    • SHA1

      d6961c7f2710cdd896d622fa8500d68f64468b2a

    • SHA256

      6cdcf78d540c146fb0319b5539d1bf930c2e59c42ea8953066c648a0b65ae460

    • SHA512

      507d8c9700bada981e734c078a94ccd253fbf547ef2885fe7fd6a748b9638bd7031b3a88ca3877a85da9422ab705bb7770e4f76f9b5ba01db307be3016231ccb

    • SSDEEP

      24576:9zP8/+udgfs+jNSLSeeT/l3bwOXd4GC9:6q0SNo6/lrwON4GC

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.