vipkeylogger | 1817a7661c198619d6cedcaf58cdaa63f3195551edb1597f4c3c3497799d42d7 | Triage

Sharing

General

Target

1817a7661c198619d6cedcaf58cdaa63f3195551edb1597f4c3c3497799d42d7.vbs
Size

183KB
Sample

250219-c1ezkavlgz
MD5

f545e8be6220242acf3b735f153d0650
SHA1

bf5df9d7432b38159c1ca101e1df8c292cedcac0
SHA256

1817a7661c198619d6cedcaf58cdaa63f3195551edb1597f4c3c3497799d42d7
SHA512

96a2f504b6af6cb4a2ac4a787049731487c76a8979f323cd3284b27654ff3a58d6fae24111d911e2caa12f0f9a6efa0766d7ef670d68277ced5b2f1d0724d84d
SSDEEP

3072:chvVIewt1Dp4PfXVtKYGyCjc9fP0Fb9+DPvv1e:wvVTKYGyCR

Score

10^/10

vipkeylogger collection discovery execution keylogger stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
turkey.ipchina163.com
Port:
587
Username:
[email protected]
Password:
!YxP!%1gFh=G

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
turkey.ipchina163.com
Port:
587
Username:
[email protected]
Password:
!YxP!%1gFh=G
Email To:
[email protected]

Targets

- Target
  
  1817a7661c198619d6cedcaf58cdaa63f3195551edb1597f4c3c3497799d42d7.vbs
- Size
  
  183KB
- MD5
  
  f545e8be6220242acf3b735f153d0650
- SHA1
  
  bf5df9d7432b38159c1ca101e1df8c292cedcac0
- SHA256
  
  1817a7661c198619d6cedcaf58cdaa63f3195551edb1597f4c3c3497799d42d7
- SHA512
  
  96a2f504b6af6cb4a2ac4a787049731487c76a8979f323cd3284b27654ff3a58d6fae24111d911e2caa12f0f9a6efa0766d7ef670d68277ced5b2f1d0724d84d
- SSDEEP
  
  3072:chvVIewt1Dp4PfXVtKYGyCjc9fP0Fb9+DPvv1e:wvVTKYGyCR
Score

10^/10

execution vipkeylogger collection discovery keylogger stealer
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer