Overview

overview

10

Static

static

3

RFQ_PO_048...er.scr

windows7-x64

10

RFQ_PO_048...er.scr

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a05510224a29e7f28470ab24a48ee1d5a5e5b2242360bda7ce96ddc75fd88650

  • Size

    800KB

  • Sample

    250219-capq3stqbs

  • MD5

    3b67ce88ac137f4b2c767f2fc6278511

  • SHA1

    994e62f6ba7c40327973543a77b0636ea8e3e6e9

  • SHA256

    a05510224a29e7f28470ab24a48ee1d5a5e5b2242360bda7ce96ddc75fd88650

  • SHA512

    3f714db76219d6493dfa989205ffee7f3c64d66f37543724f191a79fd20a6b354c257fd9ab64e1966984da723f9bcfebc97408e53c730348c2d6124eb988eca7

  • SSDEEP

    24576:vFg7rMzz+mkUjunHyfX9ru9zqWEPYafaB4qgEUbaU3YW3:tg7rsz+5LSJSqWEPH5aUoK

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.gemssystems.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Admin174C@GEMS_DRFgemsSA

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      RFQ_PO_048657697_MQ10384_Order.scr

    • Size

      923KB

    • MD5

      b2ab62452cfdf6fa8398f51668ae73e9

    • SHA1

      b23a3d5637b131d06ef915f9468e21e9b9432819

    • SHA256

      d4e7b1bcebd9b9150dc206559b929744b9b592d3d62baa7902f3979b60336177

    • SHA512

      e49afb48ccaa5166dbc449a3c4f4b06c70e915a016f6dd2253e23d2a722c963818d53c2cc3a33fec16cbdb81e3a4c50b3e6543d0d4ed9afea3dca602c0419dbe

    • SSDEEP

      24576:M1wMRHPv6tkVAg5zurEdFX9hU9IPYKIs+WAJ+Xmuah9/WMnqMRH:GwMZqaVASpJXPf+WAJ+XTahMiqMZ

    Score
    10/10
    vipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks