Extracted

• • Target

    DHL- CBJ520818836689.pdf.bat.exe

  • Size

    910KB

  • MD5

    a98de8b5c59ed89c8a9d8b57b579bb89

  • SHA1

    bba4c3c658be2995b52c4561a032cd12de5cf3a9

  • SHA256

    643bad4b8c1ea719d13aab26abb093c5dba260a2803b2403ef8310e6e9c09c13

  • SHA512

    07ac5792b03b14142ff4918444d70eddb6d887f278f1b188bb4770b21a6d685b8e3fbc04042c557099e4e9cb9ea5aab1aaea76b333492bae23eac790bb3e5242

  • SSDEEP

    12288:QNLMj6YeXY/e1O0qHnd8Jml7ApFeFKFCYu7OMiqhA1DZUz/whvhNBGv+7yxxNKLR:Ao0q685Y6kyOMiqAewO1DKLRYI

  Score

  10^/10

  vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger

  • Vipkeylogger family

    vipkeylogger

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2