vkeylogger | f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1

General

Target

0ed76cd7cb14cc30d04802a750bcad22.exe
Size

245KB
MD5

0ed76cd7cb14cc30d04802a750bcad22
SHA1

ed719729d7025b6d16399c88a7334fdd58b0d603
SHA256

f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1
SHA512

89452af762b13227bd835a50d8e5d55a0760889699fae5bb7da67fba1b4fa16207c9e395230cb2f3b135266c3dfac98f45bb8df3b8f9391d55696f8f13e64ea6

Score

10^/10

vkeylogger keylogger persistence stealer suricata

Malware Config

Signatures

VKeylogger
A keylogger first seen in Nov 2020.
stealer keylogger vkeylogger

VKeylogger Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1852-118-0x0000000000500000-0x000000000050F000-memory.dmp	family_vkeylogger
behavioral2/memory/1852-124-0x0000000000503500-mapping.dmp	family_vkeylogger
behavioral2/memory/3164-126-0x00000000003D0000-0x00000000003DF000-memory.dmp	family_vkeylogger

suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtrhy = "C:\\Windows\\system32\\mshta.exe javascript:x=new%20ActiveXObject(\"wscript.shell\");v=x.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\SMSvcHost\\\\ComponentID\");eval(v);"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\gr5wd = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe"	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

0ed76cd7cb14cc30d04802a750bcad22.exeRegSvcs.exe

description	pid	process	target process
PID 2600 set thread context of 1852	2600	0ed76cd7cb14cc30d04802a750bcad22.exe	RegSvcs.exe
PID 1852 set thread context of 3164	1852	RegSvcs.exe	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

RegSvcs.exeexplorer.exe

pid process

1852 RegSvcs.exe
3164 explorer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

explorer.exe

pid process

3164 explorer.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

3164 explorer.exe

pid	process
1852	RegSvcs.exe
3164	explorer.exe

pid	process
3164	explorer.exe

pid	process
3164	explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0ed76cd7cb14cc30d04802a750bcad22.exeRegSvcs.exe

description	pid	process	target process
PID 2600 wrote to memory of 1852	2600	0ed76cd7cb14cc30d04802a750bcad22.exe	RegSvcs.exe
PID 2600 wrote to memory of 1852	2600	0ed76cd7cb14cc30d04802a750bcad22.exe	RegSvcs.exe
PID 2600 wrote to memory of 1852	2600	0ed76cd7cb14cc30d04802a750bcad22.exe	RegSvcs.exe
PID 2600 wrote to memory of 1852	2600	0ed76cd7cb14cc30d04802a750bcad22.exe	RegSvcs.exe
PID 2600 wrote to memory of 1852	2600	0ed76cd7cb14cc30d04802a750bcad22.exe	RegSvcs.exe
PID 1852 wrote to memory of 3164	1852	RegSvcs.exe	explorer.exe
PID 1852 wrote to memory of 3164	1852	RegSvcs.exe	explorer.exe
PID 1852 wrote to memory of 3164	1852	RegSvcs.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\0ed76cd7cb14cc30d04802a750bcad22.exe
"C:\Users\Admin\AppData\Local\Temp\0ed76cd7cb14cc30d04802a750bcad22.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1852-118-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/1852-124-0x0000000000503500-mapping.dmp

Download
memory/3164-125-0x00000000003D2E90-mapping.dmp

Download
memory/3164-126-0x00000000003D0000-0x00000000003DF000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads