vipkeylogger

General

Target

Fiyatteklifihk.exe
Size

744KB
Sample

250325-vb1tvayzax
MD5

f41bb88f7e4dcf7da1752be392809076
SHA1

a1d308e08021468587fb29bc902aae7f3ab415fc
SHA256

db49472040ee226b7140171b9202e05386125f9b9e4ed7fce4509ed3c8a20db9
SHA512

5d3c20b3f25affa7ac0ec365c532eafb36c8b3d01cf5aa50a677d9cc4b76fbe7be05482e1f1b79e47e764efa0e329dabb6b590ad081cff040546b925522a6301
SSDEEP

12288:YdulYyOn6nzx7qJgB67Zlgns4HAJRt5O9uBsz8itCLH4G3HA2qU+F2d6qAQDHL:LY9n6nhb6CWO9uPZHA2z6qAQ

Score

10^/10

Malware Config

Extracted

Family

vipkeylogger

Targets

- Target
  
  Fiyatteklifihk.exe
- Size
  
  744KB
- MD5
  
  f41bb88f7e4dcf7da1752be392809076
- SHA1
  
  a1d308e08021468587fb29bc902aae7f3ab415fc
- SHA256
  
  db49472040ee226b7140171b9202e05386125f9b9e4ed7fce4509ed3c8a20db9
- SHA512
  
  5d3c20b3f25affa7ac0ec365c532eafb36c8b3d01cf5aa50a677d9cc4b76fbe7be05482e1f1b79e47e764efa0e329dabb6b590ad081cff040546b925522a6301
- SSDEEP
  
  12288:YdulYyOn6nzx7qJgB67Zlgns4HAJRt5O9uBsz8itCLH4G3HA2qU+F2d6qAQDHL:LY9n6nhb6CWO9uPZHA2z6qAQ
Score

10^/10

vipkeylogger collection discovery execution keylogger spyware stealer
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2