vipkeylogger | d3f69f494a1af0ea7a7dbf4307082c24e7bd1b91f29f258605d8ddfa3400ac4b | Triage

Submit
Reports

Overview

overview

Static

static

3

Purchase O...om.exe

windows7-x64

7

Purchase O...om.exe

windows10-2004-x64

Sharing

General

Target

Purchase Order WPO28029.com.exe
Size

828KB
Sample

250224-nbmhwsyrv4
MD5

c4effd60da72843a91071bd75c2f6af7
SHA1

3ec8afb98887a9add9fd509f0d0db603b896ae21
SHA256

d3f69f494a1af0ea7a7dbf4307082c24e7bd1b91f29f258605d8ddfa3400ac4b
SHA512

f30b7b98ddc45bd87c58c41d1022cdd4b29c3bbc686d8c17998bacc102b5eac6f9d52f6d6aadc3959e73967622ada4ecc8d9f0b0ba65e7db23d635a27c61259c
SSDEEP

12288:xMSSMsarSgOVK/EHawVlm/qNwv2bgigiQvArLmMRA:x1fDriFuT2bgfiuALq

Score

10^/10

vipkeylogger collection discovery keylogger stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Purchase Order WPO28029.com.exe

Resource

win7-20240903-en

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

Purchase Order WPO28029.com.exe

Resource

win10v2004-20250217-en

vipkeylogger collection discovery keylogger stealer

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

vipkeylogger

Targets

- Target
  
  Purchase Order WPO28029.com.exe
- Size
  
  828KB
- MD5
  
  c4effd60da72843a91071bd75c2f6af7
- SHA1
  
  3ec8afb98887a9add9fd509f0d0db603b896ae21
- SHA256
  
  d3f69f494a1af0ea7a7dbf4307082c24e7bd1b91f29f258605d8ddfa3400ac4b
- SHA512
  
  f30b7b98ddc45bd87c58c41d1022cdd4b29c3bbc686d8c17998bacc102b5eac6f9d52f6d6aadc3959e73967622ada4ecc8d9f0b0ba65e7db23d635a27c61259c
- SSDEEP
  
  12288:xMSSMsarSgOVK/EHawVlm/qNwv2bgigiQvArLmMRA:x1fDriFuT2bgfiuALq
Score

10^/10

discovery vipkeylogger collection keylogger stealer
- Suspicious use of NtCreateUserProcessOtherParentProcess
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

vipkeyloggercollectiondiscoverykeyloggerstealer

© 2018-2025

Terms | Privacy