Overview

overview

10

Static

static

10

57df82d0e4...65.exe

windows7_x64

10

57df82d0e4...65.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    162s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    21-02-2022 11:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe

  • Size

    74KB

  • MD5

    ba4380237e7a0f220deaaada1fddff73

  • SHA1

    394b852855574cffa26a66bec083792a21f87f79

  • SHA256

    57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965

  • SHA512

    5e70426b3547020f93c62764f418ff7d475f4bf772130b056f33884e7b155b9675a4af292b356bd9897c5e6c665488989d7400dfb452d8544d1252b3e3798142

Score
10/10
vkeyloggerkeyloggerpersistencestealersuricata

Malware Config

Signatures

  • VKeylogger

    A keylogger first seen in Nov 2020.

    stealerkeyloggervkeylogger
  • VKeylogger Payload 1 IoCs
  • suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)

    suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)

    suricata
  • suricata: ET MALWARE Generic Request to gate.php Dotted-Quad

    suricata: ET MALWARE Generic Request to gate.php Dotted-Quad

    suricata
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata
  • suricata: ET MALWARE Win32/Spy.Agent.QAQ Variant CnC Activity

    suricata: ET MALWARE Win32/Spy.Agent.QAQ Variant CnC Activity

    suricata
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe
    "C:\Users\Admin\AppData\Local\Temp\57df82d0e4547407bdca25692313c2a95b07438991c4cfd44a85d85e5976a965.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:268
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:320
      • C:\Users\Admin\AppData\Local\Temp\493.exe
        "C:\Users\Admin\AppData\Local\Temp\493.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1168
        • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
          "C:\Program Files (x86)\Internet Explorer\ielowutil.exe"
          4⤵
            PID:1968

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\493.exe
      MD5

      558063e08ac6993410949408a509a30f

      SHA1

      d72106f1ed83cf83cde7f0ac3e89990521af7e76

      SHA256

      5c99e168d451cb5bc262de0e0251717578a637edb9cf16ba11e2315e86ad48f5

      SHA512

      e6ad56895b4e489fe079d7fa21951476a50077856a0f3f28678fdc2904306af389416370dd5cd4d911f21d2750c184bd8f1f40553cd4e3a7eee262ed86b7ae14

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\493.exe
      MD5

      558063e08ac6993410949408a509a30f

      SHA1

      d72106f1ed83cf83cde7f0ac3e89990521af7e76

      SHA256

      5c99e168d451cb5bc262de0e0251717578a637edb9cf16ba11e2315e86ad48f5

      SHA512

      e6ad56895b4e489fe079d7fa21951476a50077856a0f3f28678fdc2904306af389416370dd5cd4d911f21d2750c184bd8f1f40553cd4e3a7eee262ed86b7ae14

      Download Submit
    • \Users\Admin\AppData\Local\Temp\493.exe
      MD5

      558063e08ac6993410949408a509a30f

      SHA1

      d72106f1ed83cf83cde7f0ac3e89990521af7e76

      SHA256

      5c99e168d451cb5bc262de0e0251717578a637edb9cf16ba11e2315e86ad48f5

      SHA512

      e6ad56895b4e489fe079d7fa21951476a50077856a0f3f28678fdc2904306af389416370dd5cd4d911f21d2750c184bd8f1f40553cd4e3a7eee262ed86b7ae14

      Download Submit
    • \Users\Admin\AppData\Local\Temp\493.exe
      MD5

      558063e08ac6993410949408a509a30f

      SHA1

      d72106f1ed83cf83cde7f0ac3e89990521af7e76

      SHA256

      5c99e168d451cb5bc262de0e0251717578a637edb9cf16ba11e2315e86ad48f5

      SHA512

      e6ad56895b4e489fe079d7fa21951476a50077856a0f3f28678fdc2904306af389416370dd5cd4d911f21d2750c184bd8f1f40553cd4e3a7eee262ed86b7ae14

      Download Submit
    • \Users\Admin\AppData\Local\Temp\493.exe
      MD5

      558063e08ac6993410949408a509a30f

      SHA1

      d72106f1ed83cf83cde7f0ac3e89990521af7e76

      SHA256

      5c99e168d451cb5bc262de0e0251717578a637edb9cf16ba11e2315e86ad48f5

      SHA512

      e6ad56895b4e489fe079d7fa21951476a50077856a0f3f28678fdc2904306af389416370dd5cd4d911f21d2750c184bd8f1f40553cd4e3a7eee262ed86b7ae14

      Download Submit
    • \Users\Admin\AppData\Local\Temp\493.exe
      MD5

      558063e08ac6993410949408a509a30f

      SHA1

      d72106f1ed83cf83cde7f0ac3e89990521af7e76

      SHA256

      5c99e168d451cb5bc262de0e0251717578a637edb9cf16ba11e2315e86ad48f5

      SHA512

      e6ad56895b4e489fe079d7fa21951476a50077856a0f3f28678fdc2904306af389416370dd5cd4d911f21d2750c184bd8f1f40553cd4e3a7eee262ed86b7ae14

      Download Submit
    • \Users\Admin\AppData\Local\Temp\493.exe
      MD5

      558063e08ac6993410949408a509a30f

      SHA1

      d72106f1ed83cf83cde7f0ac3e89990521af7e76

      SHA256

      5c99e168d451cb5bc262de0e0251717578a637edb9cf16ba11e2315e86ad48f5

      SHA512

      e6ad56895b4e489fe079d7fa21951476a50077856a0f3f28678fdc2904306af389416370dd5cd4d911f21d2750c184bd8f1f40553cd4e3a7eee262ed86b7ae14

      Download Submit
    • memory/268-55-0x0000000076141000-0x0000000076143000-memory.dmp
      Filesize

      8KB

      Download
    • memory/320-57-0x0000000074EE1000-0x0000000074EE3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/320-58-0x0000000000080000-0x0000000000092000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1968-69-0x0000000000400000-0x0000000000687000-memory.dmp
      Filesize

      2.5MB

      Download