General

  • Target

    01072025_0559_30062025_PO.zip

  • Size

    665KB

  • Sample

    250701-gpranseq5v

  • MD5

    28d518255b33f323a78869a356f33181

  • SHA1

    957bdf32f2b6a1e6c06181eef09fb1e1611dd7ee

  • SHA256

    1b7b2b312e516e269db70df333a5730d4088a065bbd2c11e76d32c7bad075822

  • SHA512

    3ed25d1868737ac9173542f72ed67336c05425488d6a4673f865ebfeb56f1ba82357a865cdc778d2d2692ae47090262b8208f54b283650f6002f5ac6054a0d88

  • SSDEEP

    12288:rcdqHNxOQeHrbyFz9yoBJmjo3i0q2Q420bk/wLAEjzkh+WBJNLiszQEG5asBhowR:3XOVXyFRcX200XAwkEG9RUvByR6

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    n2eM4mz7D`w@>;

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      PO.exe

    • Size

      724KB

    • MD5

      494ff9dd49ad6adaf5311211433596a1

    • SHA1

      e80d0dde6967f2a367da42d3518a5123bce5cba9

    • SHA256

      ebacd47d8d9c76fbc8e7f1c2d4768f5db3911ce8374ac2a704223c7c302b6998

    • SHA512

      63c3f463c2b186789f36c42d8c34854afb6155d4d7b5932891fa558cb18ec8069ab631319cda93358f0e36b808f315b593de47ba7f1b78195fe20fb640c61aee

    • SSDEEP

      12288:nndOVNxOCeHmZWFdT89XOAM8LrQFUwcbq/wLOEjFUh+J9QdX5Vj4jb:UdOTfj4VYYFOwUEJ2dLj4jb

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks