General
-
Target
Ningbo - Invoices - Past Due.exe
-
Size
11.4MB
-
Sample
250221-l8llrazkbv
-
MD5
af583be31d9bdfce0854e0d043031965
-
SHA1
82bf70e9324fca750ad3c61540bda6a0bdca5345
-
SHA256
6d782f80e17d4e8de6ff0fc27bcdabdc9a918e0d8f1ed585b930fbb86a335e6e
-
SHA512
cba1e7928fc2251061c534dee5c40c6ba4bf1bd446a4f447701ce6349ecb5475c7234937cd39ab2cbcccb62fa76a0c44cbc23b9a5c09a6a6bc0abfe16ed8af2f
-
SSDEEP
196608:zJTQ2WqlTsmyjRHpoNKWxA3wU+IHmz6KIEg+9dC:zy2PXeMz67Eg+
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
25 - Username:
[email protected] - Password:
moneyismade22 - Email To:
[email protected]
Targets
-
-
Target
Ningbo - Invoices - Past Due.exe
-
Size
11.4MB
-
MD5
af583be31d9bdfce0854e0d043031965
-
SHA1
82bf70e9324fca750ad3c61540bda6a0bdca5345
-
SHA256
6d782f80e17d4e8de6ff0fc27bcdabdc9a918e0d8f1ed585b930fbb86a335e6e
-
SHA512
cba1e7928fc2251061c534dee5c40c6ba4bf1bd446a4f447701ce6349ecb5475c7234937cd39ab2cbcccb62fa76a0c44cbc23b9a5c09a6a6bc0abfe16ed8af2f
-
SSDEEP
196608:zJTQ2WqlTsmyjRHpoNKWxA3wU+IHmz6KIEg+9dC:zy2PXeMz67Eg+
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Drops startup file
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-