General

  • Target

    URGENTDHL-OVERDUEACCOUNTLETTER-1300711528.exe

  • Size

    2.4MB

  • Sample

    250227-ha3wlazmv5

  • MD5

    c3b5d2314930b677e70e2174647eec9c

  • SHA1

    ca3f9e5900c943c0aa33efd95c83fac1850b0aa0

  • SHA256

    140b71c1dc8ccf24de4f4bdd0c1acd6db259b720eb263123b7c100d5a6051852

  • SHA512

    b63ea62c13e5f421eb945afb6f02a01448db42c9fe7c97a6085851048a1f184f43af744355f93115065b4bfcf3eee59f806a6701de7767a49eb155ec55fca587

  • SSDEEP

    49152:4LmAT3UAXdrbW5Z6MneR+Hq/GdEv3hg4W8ZSS:ImAYA6ZvHq/XhgI

Malware Config

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      URGENTDHL-OVERDUEACCOUNTLETTER-1300711528.exe

    • Size

      2.4MB

    • MD5

      c3b5d2314930b677e70e2174647eec9c

    • SHA1

      ca3f9e5900c943c0aa33efd95c83fac1850b0aa0

    • SHA256

      140b71c1dc8ccf24de4f4bdd0c1acd6db259b720eb263123b7c100d5a6051852

    • SHA512

      b63ea62c13e5f421eb945afb6f02a01448db42c9fe7c97a6085851048a1f184f43af744355f93115065b4bfcf3eee59f806a6701de7767a49eb155ec55fca587

    • SSDEEP

      49152:4LmAT3UAXdrbW5Z6MneR+Hq/GdEv3hg4W8ZSS:ImAYA6ZvHq/XhgI

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Drops startup file

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks