2026-01-09: VIP Recovery infection from email attachment

2026-01-09: VIP Recovery infection from email attachment
VIP Recovery 感染通过电子邮件附件传播，附件中的 VBS 文件下载并执行恶意软件，并从两个 URL 获取嵌入 Base64 编码的可执行文件。 2026-1-9 21:32:0 Author: www.malware-traffic-analysis.net(查看原文) 阅读量:5 收藏

2026-01-09 (FRIDAY): VIP RECOVERY INFECTION FROM EMAIL ATTACHMENT

NOTICE:

Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.

ASSOCIATED FILES:

2026-01-09-IOCs-from-VIP-Recovery-infection.txt.zip 1.8 kB (1,816 bytes)
2026-01-09-VIP-Recovery-malspam-0655-UTC.eml.zip 10.8 kB (10,755 bytes)
2026-01-09-VIP-Recovery-traffic.pcap.zip 6.6 MB (6,569,541 bytes)
2026-01-09-files-from-the-VIP-recovery-infection.zip 7.8 MB (7,755,018 bytes)

2026-01-09 (FRIDAY): VIP RECOVERY INFECTION FROM EMAIL ATTACHMENT

NOTES:

- Some sources called this malware "VIP Keylogger," but the data exfiltration emails are labeled "VIP Recovery."

INFECTION CHAIN:

- email --> attached archive --> extracted VBS file --> retrieves and runs files for VIP Recovery

EMAIL INFORMATION:

- Received: from slot0.morecft[.]shop (slot0.morecft[.]shop [195.54.161[.]236]) [info removed]; Fri, 09 Jan 2026 06:55:06 (UTC)
- From: Ms.  Maggie Wu
- Subject: Request for Quotation (RFQ) -RFQ/2026/10/26
- Date: 9 Jan 2026 01:55:04 -0500
- Attachment name: Request for Quotation (RFQ) -RFQ20261026.7z

EMAIL ATTACHMENT AND EXTRACTED FILE:

- SHA256 hash: a51ec9b082b024d863e53505e2bd2276ce2e4f575bf2b8cb3356124a662bfacd
- File size: 6,065 bytes
- File type: 7-zip archive data, version 0.4
- File name: Request for Quotation (RFQ) -RFQ20261026.7z

- SHA256 hash: 7b998e3e817d913700336ceb36e178f39182ca60038f55624383857ab921bc4c
- File size: 16,051 bytes
- File type: ASCII text, with CRLF, LF line terminators
- File name: Documented_Invoice_305.vbs

INITIAL TRAFFIC FROM RUNNING THE VBS FILE:

- 18:04:43 UTC - TCP port 80 - hxxps[:]//firebasestorage.googleapis[.]com/v0/b/remasd-6c702.firebasestorage.app/o/image.jpg?
                               alt=media&token=[info removed]
- 18:04:44 UTC - TCP port 80 - hxxps[:]//1zil1.s3.cubbit[.]eu/don-snake-vipupload.txt

FILES FROM THE ABOVE URLS:

- SHA256 hash: 573507ffbef1dcbc354c0ae29c71051c8790b4bbd06d71ee6d68078862cf0ab4
- File size: 2,404,423 bytes
- File type: JPEG image data
- File location: hxxps[:]//firebasestorage.googleapis[.]com/v0/b/remasd-6c702.firebasestorage.app/o/image.jpg?alt=media&
                 token=[info removed]
- Note: Image returned fromt he above URL has embedded base64 text.

- SHA256 hash: 71773949eb6fa255bd1e633f55127720a1b5ed46ecb28affb7bdd28b625fa4c9
- File size: 3,936,172 bytes
- File type: ASCII text, with very long lines (65536), with no line terminators
- File location: hxxps[:]//1zil1.s3.cubbit[.]eu/don-snake-vipupload.txt

EXE FILES EXTRACTED FROM THE ABOVE FILES

- SHA256 hash: f340b73cc89e25e6726a019b3e79c0b491b69b0c54ae3f02ba062879c48253df
- File size: 98,304 bytes
- File type: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
- File description: EXE from converting base64 text embedded in image from firebasestorage.googleapis[.]com URL

- SHA256 hash: 6230ffa50d64f417bc06c469df83110f81af670ac70763b01797638e744ae2a7
- File size: 2,952,129 bytes
- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- File description: EXE from reversing and converting base64 text from zil1.s3.cubbit[.]eu URL

POST-INFECTION TRAFFIC:

- 18:04:48 UTC - TCP port 80 - checkip.dyndns[.]org - GET /
- 18:04:49 UTC - TCP port 80 - checkip.dyndns[.]org - GET /
- 18:04:49 UTC - TCP port 443 - reallyfreegeoip[.]org - [HTTPS traffic]
- 18:04:50 UTC - TCP port 80 - checkip.dyndns[.]org - GET /
- 18:04:50 UTC - TCP port 80 - checkip.dyndns[.]org - GET /
- 18:04:51 UTC - TCP port 80 - checkip.dyndns[.]org - GET /
- 18:04:51 UTC - TCP port 80 - checkip.dyndns[.]org - GET /
- 18:04:51 UTC - TCP port 80 - checkip.dyndns[.]org - GET /
- 18:04:52 UTC - TCP port 80 - checkip.dyndns[.]org - GET /
- 18:04:52 UTC - TCP port 80 - checkip.dyndns[.]org - GET /
- 18:04:53 UTC - TCP port 80 - checkip.dyndns[.]org - GET /
- 18:04:53 UTC - TCP port 443 - api.telegram[.]org - [HTTPS traffic]
- 18:05:00 UTC - 162.254.34[.]31:587 - eraqron[.]com - [unencrypted SMTP traffic]
- 18:05:05 UTC - 162.254.34[.]31:587 - eraqron[.]com - [unencrypted SMTP traffic]

DATA EXFILTRATION EMAIL ADDRESSES:

- Email for sending victim data: rejump@eraqron[.]shop
- Email to receive victim data: jump@eraqron[.]shop

IMAGES

Shown above: Screenshot of the email, its attachment, and the VBS file within the attachment.

Shown above: Traffic from the infection filtered in Wireshark.

Shown above: Start of SMTP traffic from one of the data exfiltration emails.

Click here to return to the main page.

文章来源: https://www.malware-traffic-analysis.net/2026/01/09/index.html
如有侵权请联系:admin#unsafe.sh