General

  • Target

    AH72799_MINES SERVICES SURINAME N.V.vbs

  • Size

    66KB

  • Sample

    250226-kvklvssrx2

  • MD5

    0413291a862dec930cbeacabe1f57e8c

  • SHA1

    264609925d33aa4a99dbf0246f0fd8680f94a8c7

  • SHA256

    4d2227e8ebf7c5711159c86ccd59d8007ca4ffc56d1d6d13c7bcb4494875756e

  • SHA512

    9595f534d657f39fd08df644bff62cb28d2eca57c17279e8df28f21a0fb094658cfebb2b3b5f83c060e7e80444d111e2938b907f42cffc807afcb73f291ca3cf

  • SSDEEP

    1536:apfuabI6RmNplnvrfKpI2ItF/6RH5UUYfD2:aW6RmVnTipgCRZSC

Malware Config

Extracted

Family

vipkeylogger

Targets

    • Target

      AH72799_MINES SERVICES SURINAME N.V.vbs

    • Size

      66KB

    • MD5

      0413291a862dec930cbeacabe1f57e8c

    • SHA1

      264609925d33aa4a99dbf0246f0fd8680f94a8c7

    • SHA256

      4d2227e8ebf7c5711159c86ccd59d8007ca4ffc56d1d6d13c7bcb4494875756e

    • SHA512

      9595f534d657f39fd08df644bff62cb28d2eca57c17279e8df28f21a0fb094658cfebb2b3b5f83c060e7e80444d111e2938b907f42cffc807afcb73f291ca3cf

    • SSDEEP

      1536:apfuabI6RmNplnvrfKpI2ItF/6RH5UUYfD2:aW6RmVnTipgCRZSC

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks