vipkeylogger | 68765775002699ff32978e8cd956899391b045e273cf944cba0a4c13af820d18 | Triage

Sharing

General

Target

68765775002699ff32978e8cd956899391b045e273cf944cba0a4c13af820d18.exe
Size

843KB
Sample

250219-exsscsyny8
MD5

aeabfd0534b39c526c6617466af1d780
SHA1

7ffff117692cbcdeec136abd9bd7b15813d3ca35
SHA256

68765775002699ff32978e8cd956899391b045e273cf944cba0a4c13af820d18
SHA512

b7edcbda504deb93cfe9907eaf961dba3daf429e8d7f0442d6beab1e5741ced5810ba408d0787ef95e2a0d6b6169c4793223a05483b9c4c2c79540593c16010f
SSDEEP

12288:ROovHlb/a13/KiTO5rry72+QwfgivOKFd01e0B:RZle1vHTO5r9Cl0B

Score

10^/10

vipkeylogger collection discovery keylogger persistence stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
uniform.gr
Port:
587
Username:
[email protected]
Password:
qkTHtoV5%]8%
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
uniform.gr
Port:
587
Username:
[email protected]
Password:
qkTHtoV5%]8%

Targets

- Target
  
  68765775002699ff32978e8cd956899391b045e273cf944cba0a4c13af820d18.exe
- Size
  
  843KB
- MD5
  
  aeabfd0534b39c526c6617466af1d780
- SHA1
  
  7ffff117692cbcdeec136abd9bd7b15813d3ca35
- SHA256
  
  68765775002699ff32978e8cd956899391b045e273cf944cba0a4c13af820d18
- SHA512
  
  b7edcbda504deb93cfe9907eaf961dba3daf429e8d7f0442d6beab1e5741ced5810ba408d0787ef95e2a0d6b6169c4793223a05483b9c4c2c79540593c16010f
- SSDEEP
  
  12288:ROovHlb/a13/KiTO5rry72+QwfgivOKFd01e0B:RZle1vHTO5r9Cl0B
Score

10^/10

vipkeylogger discovery keylogger persistence stealer collection
- Modifies WinLogon for persistence
  persistence
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vipkeyloggerdiscoverykeyloggerpersistencestealer

behavioral2

vipkeyloggercollectiondiscoverykeyloggerpersistencestealer