vipkeylogger | f6ba0761464ba7830f65e76974892217a5c92a0d77ab9b12a971288ba6aab43b | Triage

Sharing

General

Target

nRFQ_532566.cab.rar
Size

668KB
Sample

250224-hnxxhaskz9
MD5

23352a7ee6d89b44897e84fbe91e1d41
SHA1

00d7de5c2851a83c28176a25c861ab74db6b6b6b
SHA256

f6ba0761464ba7830f65e76974892217a5c92a0d77ab9b12a971288ba6aab43b
SHA512

155dbfc28c6c76cd8c216faceb90134cc7935433b4b2ab97e9451a97cbfbb1b7c05ef7606f806886f8189fd4fd0276e57f22d0de13312b297afb4e61dc7246e9
SSDEEP

12288:2Gqd1EOEycyP6fjcwpjDyBL+RRyBo0LPAQewk8pmxqA2KMzegeoA1zMvyj0vE+a5:2rdqsPMcGDgSRgBo8eHumkAbqJoMaj7

Score

10^/10

vipkeylogger collection discovery execution keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7305300476:AAEUtST2qu1J2LKdbC6Wuf8pKunuBNKtYtk/sendMessage?chat_id=6750192797

Targets

- Target
  
  RFQ 532566.scr
- Size
  
  766KB
- MD5
  
  245c4d3a899092760b21b3bd44d3aca2
- SHA1
  
  0e36e09bfae68d6ba5a671668eccfd2ded99c776
- SHA256
  
  b4282d41f039431e25a94f29622f0585cbff48d86958118e770cfb8b2d16baea
- SHA512
  
  a2c627adea14bd687915a48e47529635f58625529f12af3766177683ff73fe681b26c0d33ff3f6722fe201c6d34cd71da3304f3143891a9e058ed9d03916f4af
- SSDEEP
  
  12288:0Mr8I0MdYeXY/e1ApfXEnCTzX75mkIQIadeBYilF3YDHFBSukOS19gC76sgFAjku:0MrbxRqfXZ75m16emiX3OlBSuaJLsord
Score

10^/10

vipkeylogger collection discovery execution keylogger stealer
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

behavioral2

vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer