Overview

overview

10

Static

static

3

Purchase O...99.exe

windows7-x64

10

Purchase O...99.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5f12f30d2c413e4d5a66d9e5b42ab2bb508127e069849f94103fa326c972f510

  • Size

    809KB

  • Sample

    250227-cjrl2a1qz5

  • MD5

    1b02f25a68c5d515dd89f1e4fca9ba63

  • SHA1

    9c89b45e9532e9c01ad543c4fb0e6ace2ad81e6c

  • SHA256

    5f12f30d2c413e4d5a66d9e5b42ab2bb508127e069849f94103fa326c972f510

  • SHA512

    7376de76b5563285e5a5090716f165579ade187d7858b3a86a8fbea5637faf6fcf692c14781eb41c93549127961e1c3d0520e6fd2307c9693e7e6c846db1ed9b

  • SSDEEP

    24576:2ofEMlWtxnU1f1CHRetef4JchN9hU6mpKy+YiSq1eVhb:JwxnRwtewyzFmpKyCSbVB

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials
C2

https://api.telegram.org/bot7563311736:AAFJewS8I9s6_mnl_sUm8SW4RjIOXWEEyVI/sendMessage?chat_id=6386262734

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.saad-syria.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    slmrs2901000201

Targets

    • Target

      Purchase Order - Hi tech Insulator SAPPL23240999.exe

    • Size

      982KB

    • MD5

      25c92b854587494825e5cd9b32ebb682

    • SHA1

      6eea1700fab7342a8078f612e0920fa2f84a1cfd

    • SHA256

      0be6a7f44926700fa4c215c731f2609401648a93b276936cfe411f34347165ab

    • SHA512

      69fe139c05ac7efe5236fc48347b1356429c613a176acc051c50c2a3a1118d67f335abc091c1baa31dde445d9c91efca191118cd3b2b5288f4da67745b6452c0

    • SSDEEP

      24576:v0784ZPsCsjb9C0Yynd+EHssgFuFYSmy:vC84VszC0RnUwFYSn

    Score
    10/10
    vipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks