Extracted

• • Target

    rRFQ532566.scr.exe

  • Size

    766KB

  • MD5

    245c4d3a899092760b21b3bd44d3aca2

  • SHA1

    0e36e09bfae68d6ba5a671668eccfd2ded99c776

  • SHA256

    b4282d41f039431e25a94f29622f0585cbff48d86958118e770cfb8b2d16baea

  • SHA512

    a2c627adea14bd687915a48e47529635f58625529f12af3766177683ff73fe681b26c0d33ff3f6722fe201c6d34cd71da3304f3143891a9e058ed9d03916f4af

  • SSDEEP

    12288:0Mr8I0MdYeXY/e1ApfXEnCTzX75mkIQIadeBYilF3YDHFBSukOS19gC76sgFAjku:0MrbxRqfXZ75m16emiX3OlBSuaJLsord

  Score

  10^/10

  vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger

  • Vipkeylogger family

    vipkeylogger

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2