General

  • Target

    8135e54ce7beff8ca4566c125fa8196e197a22d01a7cbebcf9b2d12cc39b848f

  • Size

    691KB

  • Sample

    250701-e81mcasks9

  • MD5

    c4d098e7bf71abe973e5e8541faa8bdf

  • SHA1

    26d2315dc6206e24248275d55141d89eb59a32dd

  • SHA256

    8135e54ce7beff8ca4566c125fa8196e197a22d01a7cbebcf9b2d12cc39b848f

  • SHA512

    cc044c9577622caaeab13833f9709201db704a654907af9173667aa21bf0e863e4497de6cb0a2b214de9e00b73697c03ad2cf2e3d4e11136c7e3762160948881

  • SSDEEP

    12288:kA+ck5YKY8l7KVMSkYnfp1UJ17veHZLUB1jqQaY/KJOPigNVO0r3/pSH090s496M:J+ck568l7QLnh6/7OJU6Q5RbrwQkad8

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.pth.com.sg
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    5[1P@{5]6BJ+

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      Purchase Order No.1364..exe

    • Size

      763KB

    • MD5

      3f5850ff6d3dfa5e3c165d7f6b0ce682

    • SHA1

      f17f6c33f87c37b6080f686834deb2cef504c269

    • SHA256

      d16e631c7b57f0b20be7b526e713f29800ac13b68694e01f33136a4fae643f7e

    • SHA512

      fb141878c65e8e865a0e9c1031bbf087ebdfeb1b8a03ba3d1fa713a13416acb518e5eabdd0e7e8961218b5220bd220a4680c22521f0e6a15d4231e0c3bbf0017

    • SSDEEP

      12288:VJ+ivMeX6nT+VMSkYdboV1U31x7eHZLUV1TqQSY/UJOXigN1O0r3U7Y5e5M6VkgL:BkALdE6Fx6JUGQrxqYM5De98um/

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks