vipkeylogger | 352ee59f5c656357fb90e96225d9eeb826ce8955eab0bac2663d2d0be6591dce | Triage

Sharing

General

Target

352ee59f5c656357fb90e96225d9eeb826ce8955eab0bac2663d2d0be6591dce.exe
Size

890KB
Sample

250215-2aenjsxphv
MD5

7bc1c1705c00dcd7be861517f0c2e4f9
SHA1

e7faedfcf25edd1a1def84972c924dfbc3094be6
SHA256

352ee59f5c656357fb90e96225d9eeb826ce8955eab0bac2663d2d0be6591dce
SHA512

d0d736fdda79125c6b6d17d6901f607503da6662ebddefbdb1eb1d9717d928889c69be87e27d179387b24caeecddd4e81909bc3bfa5a2e5628c98313c58ebfe3
SSDEEP

24576:F6g7wwDEGmv9ax8qezKoL9hYThImgvo3dXJ9:FTpDbQYGL92evIlT

Score

10^/10

vipkeylogger discovery execution keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.bteenerji.com
Port:
587
Username:
[email protected]
Password:
123husnu
Email To:
[email protected]

C2

https://api.telegram.org/bot7354418955:AAH10FAR8IByRBtd_Qs69uwN7lnhl-2X18k/sendMessage?chat_id=6851554211

Targets

- Target
  
  352ee59f5c656357fb90e96225d9eeb826ce8955eab0bac2663d2d0be6591dce.exe
- Size
  
  890KB
- MD5
  
  7bc1c1705c00dcd7be861517f0c2e4f9
- SHA1
  
  e7faedfcf25edd1a1def84972c924dfbc3094be6
- SHA256
  
  352ee59f5c656357fb90e96225d9eeb826ce8955eab0bac2663d2d0be6591dce
- SHA512
  
  d0d736fdda79125c6b6d17d6901f607503da6662ebddefbdb1eb1d9717d928889c69be87e27d179387b24caeecddd4e81909bc3bfa5a2e5628c98313c58ebfe3
- SSDEEP
  
  24576:F6g7wwDEGmv9ax8qezKoL9hYThImgvo3dXJ9:FTpDbQYGL92evIlT
Score

10^/10

vipkeylogger execution keylogger stealer discovery
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vipkeyloggerexecutionkeyloggerstealer

behavioral2

vipkeyloggerdiscoveryexecutionkeyloggerstealer