Overview

overview

10

Static

static

0ed76cd7cb...22.exe

windows7_x64

1

0ed76cd7cb...22.exe

windows10_x64

10

Analysis

  • max time kernel
    110s
  • max time network
    120s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    14-11-2021 13:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ed76cd7cb14cc30d04802a750bcad22.exe

  • Size

    245KB

  • MD5

    0ed76cd7cb14cc30d04802a750bcad22

  • SHA1

    ed719729d7025b6d16399c88a7334fdd58b0d603

  • SHA256

    f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1

  • SHA512

    89452af762b13227bd835a50d8e5d55a0760889699fae5bb7da67fba1b4fa16207c9e395230cb2f3b135266c3dfac98f45bb8df3b8f9391d55696f8f13e64ea6

Score
10/10
vkeyloggerkeyloggerpersistencestealersuricata

Malware Config

Signatures

  • VKeylogger

    A keylogger first seen in Nov 2020.

    stealerkeyloggervkeylogger
  • VKeylogger Payload 3 IoCs
  • suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad

    suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad

    suricata
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ed76cd7cb14cc30d04802a750bcad22.exe
    "C:\Users\Admin\AppData\Local\Temp\0ed76cd7cb14cc30d04802a750bcad22.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1852
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
        • Adds Run key to start application
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:3164

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1852-118-0x0000000000500000-0x000000000050F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/3164-126-0x00000000003D0000-0x00000000003DF000-memory.dmp

    Filesize

    60KB

    Download