vkeylogger | 8c50b6cbe0c930b7e7725350fbb11cf8f1d7e8d5efb0db383d507155ab9f0a7d

Analysis

max time kernel
4294208s
max time network
124s
platform
windows7_x64
resource
win7-20220311-en
submitted
21-03-2022 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4552348445415f5a30a31366a5d5e126.exe
Size

276KB
MD5

4552348445415f5a30a31366a5d5e126
SHA1

c15892a50f4237608feee5b06c0737c3126a8bc4
SHA256

8c50b6cbe0c930b7e7725350fbb11cf8f1d7e8d5efb0db383d507155ab9f0a7d
SHA512

8c96dc9747a32f9242942f0dcd867ec52e8dd6dcfff1818fba53ea9fb7bcfeda437550dc022a583b8e23535c810b1f25b7c387b29bcf7b6d36896a0bb072f318

Score

10^/10

vkeylogger keylogger stealer

Malware Config

Signatures

VKeylogger
A keylogger first seen in Nov 2020.
stealer keylogger vkeylogger

VKeylogger Payload 15 IoCs

resource	yara_rule
behavioral1/memory/308-61-0x0000000000400000-0x000000000040F000-memory.dmp	family_vkeylogger
behavioral1/memory/308-63-0x0000000000400000-0x000000000040F000-memory.dmp	family_vkeylogger
behavioral1/memory/308-65-0x0000000000400000-0x000000000040F000-memory.dmp	family_vkeylogger
behavioral1/memory/308-67-0x0000000000400000-0x000000000040F000-memory.dmp	family_vkeylogger
behavioral1/memory/1776-68-0x00000000011C0000-0x0000000001208000-memory.dmp	family_vkeylogger
behavioral1/memory/1028-84-0x00000000011C0000-0x0000000001208000-memory.dmp	family_vkeylogger
behavioral1/memory/1668-100-0x00000000011C0000-0x0000000001208000-memory.dmp	family_vkeylogger
behavioral1/memory/1964-102-0x00000000011C0000-0x0000000001208000-memory.dmp	family_vkeylogger
behavioral1/memory/2012-118-0x00000000011C0000-0x0000000001208000-memory.dmp	family_vkeylogger
behavioral1/memory/1736-133-0x00000000011C0000-0x0000000001208000-memory.dmp	family_vkeylogger
behavioral1/memory/460-136-0x00000000011C0000-0x0000000001208000-memory.dmp	family_vkeylogger
behavioral1/memory/556-138-0x00000000011C0000-0x0000000001208000-memory.dmp	family_vkeylogger
behavioral1/memory/1876-167-0x00000000011C0000-0x0000000001208000-memory.dmp	family_vkeylogger
behavioral1/memory/1524-182-0x00000000011C0000-0x0000000001208000-memory.dmp	family_vkeylogger
behavioral1/memory/1604-197-0x00000000011C0000-0x0000000001208000-memory.dmp	family_vkeylogger

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 1776 set thread context of 308	1776	4552348445415f5a30a31366a5d5e126.exe	27
PID 1028 set thread context of 304	1028	4552348445415f5a30a31366a5d5e126.exe	30
PID 1668 set thread context of 1520	1668	4552348445415f5a30a31366a5d5e126.exe	33
PID 2012 set thread context of 1156	2012	4552348445415f5a30a31366a5d5e126.exe	39
PID 1736 set thread context of 1076	1736	4552348445415f5a30a31366a5d5e126.exe	42
PID 556 set thread context of 1364	556	4552348445415f5a30a31366a5d5e126.exe	46
PID 1876 set thread context of 1548	1876	4552348445415f5a30a31366a5d5e126.exe	49
PID 1524 set thread context of 1596	1524	4552348445415f5a30a31366a5d5e126.exe	52
PID 1604 set thread context of 1612	1604	4552348445415f5a30a31366a5d5e126.exe	55

Program crash 9 IoCs

pid	pid_target	Process	procid_target
680	308	WerFault.exe	27
1152	304	WerFault.exe	30
1184	1520	WerFault.exe	33
2020	1156	WerFault.exe	39
1680	1076	WerFault.exe	42
1824	1364	WerFault.exe	46
1368	1548	WerFault.exe	49
1116	1596	WerFault.exe	52
1816	1612	WerFault.exe	55

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1776	4552348445415f5a30a31366a5d5e126.exe
1028	4552348445415f5a30a31366a5d5e126.exe
1668	4552348445415f5a30a31366a5d5e126.exe
2012	4552348445415f5a30a31366a5d5e126.exe
1736	4552348445415f5a30a31366a5d5e126.exe
556	4552348445415f5a30a31366a5d5e126.exe
1876	4552348445415f5a30a31366a5d5e126.exe
1524	4552348445415f5a30a31366a5d5e126.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 308	1776	4552348445415f5a30a31366a5d5e126.exe	27
PID 1776 wrote to memory of 308	1776	4552348445415f5a30a31366a5d5e126.exe	27
PID 1776 wrote to memory of 308	1776	4552348445415f5a30a31366a5d5e126.exe	27
PID 1776 wrote to memory of 308	1776	4552348445415f5a30a31366a5d5e126.exe	27
PID 1776 wrote to memory of 308	1776	4552348445415f5a30a31366a5d5e126.exe	27
PID 1776 wrote to memory of 308	1776	4552348445415f5a30a31366a5d5e126.exe	27
PID 1776 wrote to memory of 308	1776	4552348445415f5a30a31366a5d5e126.exe	27
PID 1776 wrote to memory of 308	1776	4552348445415f5a30a31366a5d5e126.exe	27
PID 1776 wrote to memory of 308	1776	4552348445415f5a30a31366a5d5e126.exe	27
PID 1776 wrote to memory of 308	1776	4552348445415f5a30a31366a5d5e126.exe	27
PID 1776 wrote to memory of 308	1776	4552348445415f5a30a31366a5d5e126.exe	27
PID 308 wrote to memory of 680	308	4552348445415f5a30a31366a5d5e126.exe	28
PID 308 wrote to memory of 680	308	4552348445415f5a30a31366a5d5e126.exe	28
PID 308 wrote to memory of 680	308	4552348445415f5a30a31366a5d5e126.exe	28
PID 308 wrote to memory of 680	308	4552348445415f5a30a31366a5d5e126.exe	28
PID 1776 wrote to memory of 1028	1776	4552348445415f5a30a31366a5d5e126.exe	29
PID 1776 wrote to memory of 1028	1776	4552348445415f5a30a31366a5d5e126.exe	29
PID 1776 wrote to memory of 1028	1776	4552348445415f5a30a31366a5d5e126.exe	29
PID 1776 wrote to memory of 1028	1776	4552348445415f5a30a31366a5d5e126.exe	29
PID 1028 wrote to memory of 304	1028	4552348445415f5a30a31366a5d5e126.exe	30
PID 1028 wrote to memory of 304	1028	4552348445415f5a30a31366a5d5e126.exe	30
PID 1028 wrote to memory of 304	1028	4552348445415f5a30a31366a5d5e126.exe	30
PID 1028 wrote to memory of 304	1028	4552348445415f5a30a31366a5d5e126.exe	30
PID 1028 wrote to memory of 304	1028	4552348445415f5a30a31366a5d5e126.exe	30
PID 1028 wrote to memory of 304	1028	4552348445415f5a30a31366a5d5e126.exe	30
PID 1028 wrote to memory of 304	1028	4552348445415f5a30a31366a5d5e126.exe	30
PID 1028 wrote to memory of 304	1028	4552348445415f5a30a31366a5d5e126.exe	30
PID 1028 wrote to memory of 304	1028	4552348445415f5a30a31366a5d5e126.exe	30
PID 1028 wrote to memory of 304	1028	4552348445415f5a30a31366a5d5e126.exe	30
PID 1028 wrote to memory of 304	1028	4552348445415f5a30a31366a5d5e126.exe	30
PID 304 wrote to memory of 1152	304	4552348445415f5a30a31366a5d5e126.exe	31
PID 304 wrote to memory of 1152	304	4552348445415f5a30a31366a5d5e126.exe	31
PID 304 wrote to memory of 1152	304	4552348445415f5a30a31366a5d5e126.exe	31
PID 304 wrote to memory of 1152	304	4552348445415f5a30a31366a5d5e126.exe	31
PID 1028 wrote to memory of 1668	1028	4552348445415f5a30a31366a5d5e126.exe	32
PID 1028 wrote to memory of 1668	1028	4552348445415f5a30a31366a5d5e126.exe	32
PID 1028 wrote to memory of 1668	1028	4552348445415f5a30a31366a5d5e126.exe	32
PID 1028 wrote to memory of 1668	1028	4552348445415f5a30a31366a5d5e126.exe	32
PID 1668 wrote to memory of 1520	1668	4552348445415f5a30a31366a5d5e126.exe	33
PID 1668 wrote to memory of 1520	1668	4552348445415f5a30a31366a5d5e126.exe	33
PID 1668 wrote to memory of 1520	1668	4552348445415f5a30a31366a5d5e126.exe	33
PID 1668 wrote to memory of 1520	1668	4552348445415f5a30a31366a5d5e126.exe	33
PID 1668 wrote to memory of 1520	1668	4552348445415f5a30a31366a5d5e126.exe	33
PID 1668 wrote to memory of 1520	1668	4552348445415f5a30a31366a5d5e126.exe	33
PID 1668 wrote to memory of 1520	1668	4552348445415f5a30a31366a5d5e126.exe	33
PID 1668 wrote to memory of 1520	1668	4552348445415f5a30a31366a5d5e126.exe	33
PID 1668 wrote to memory of 1520	1668	4552348445415f5a30a31366a5d5e126.exe	33
PID 1668 wrote to memory of 1520	1668	4552348445415f5a30a31366a5d5e126.exe	33
PID 1668 wrote to memory of 1520	1668	4552348445415f5a30a31366a5d5e126.exe	33
PID 1520 wrote to memory of 1184	1520	4552348445415f5a30a31366a5d5e126.exe	34
PID 1520 wrote to memory of 1184	1520	4552348445415f5a30a31366a5d5e126.exe	34
PID 1520 wrote to memory of 1184	1520	4552348445415f5a30a31366a5d5e126.exe	34
PID 1520 wrote to memory of 1184	1520	4552348445415f5a30a31366a5d5e126.exe	34
PID 1668 wrote to memory of 1964	1668	4552348445415f5a30a31366a5d5e126.exe	37
PID 1668 wrote to memory of 1964	1668	4552348445415f5a30a31366a5d5e126.exe	37
PID 1668 wrote to memory of 1964	1668	4552348445415f5a30a31366a5d5e126.exe	37
PID 1668 wrote to memory of 1964	1668	4552348445415f5a30a31366a5d5e126.exe	37
PID 1964 wrote to memory of 2012	1964	4552348445415f5a30a31366a5d5e126.exe	38
PID 1964 wrote to memory of 2012	1964	4552348445415f5a30a31366a5d5e126.exe	38
PID 1964 wrote to memory of 2012	1964	4552348445415f5a30a31366a5d5e126.exe	38
PID 1964 wrote to memory of 2012	1964	4552348445415f5a30a31366a5d5e126.exe	38
PID 2012 wrote to memory of 1156	2012	4552348445415f5a30a31366a5d5e126.exe	39
PID 2012 wrote to memory of 1156	2012	4552348445415f5a30a31366a5d5e126.exe	39
PID 2012 wrote to memory of 1156	2012	4552348445415f5a30a31366a5d5e126.exe	39

C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe
"C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe
  "C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 308 -s 36
    3⤵
    - Program crash
    PID:680
- C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe
  "C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe
    "C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:304
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 304 -s 36
      4⤵
      Program crash
      PID:1152
- - C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe
    "C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe
      "C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 36
        5⤵
        Program crash
        
        PID:1184
  - - C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe
      "C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe"
        6⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 36
        7⤵
        Program crash
        
        PID:2020
      - C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe"
        7⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 36
        8⤵
        Program crash
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe"
        7⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe"
        9⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 36
        10⤵
        Program crash
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe"
        10⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 36
        11⤵
        Program crash
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe"
        11⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 36
        12⤵
        Program crash
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe"
        11⤵
        Suspicious use of SetThreadContext
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4552348445415f5a30a31366a5d5e126.exe"
        12⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 36
        13⤵
        Program crash
        
        PID:1816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/308-55-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/308-59-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/308-57-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/308-61-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/308-63-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/308-65-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/308-67-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/460-139-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/460-136-0x00000000011C0000-0x0000000001208000-memory.dmp

Filesize
288KB

Download
memory/556-138-0x00000000011C0000-0x0000000001208000-memory.dmp

Filesize
288KB

Download
memory/1028-85-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1028-84-0x00000000011C0000-0x0000000001208000-memory.dmp

Filesize
288KB

Download
memory/1524-182-0x00000000011C0000-0x0000000001208000-memory.dmp

Filesize
288KB

Download
memory/1604-197-0x00000000011C0000-0x0000000001208000-memory.dmp

Filesize
288KB

Download
memory/1668-100-0x00000000011C0000-0x0000000001208000-memory.dmp

Filesize
288KB

Download
memory/1736-133-0x00000000011C0000-0x0000000001208000-memory.dmp

Filesize
288KB

Download
memory/1736-134-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1776-69-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1776-68-0x00000000011C0000-0x0000000001208000-memory.dmp

Filesize
288KB

Download
memory/1876-167-0x00000000011C0000-0x0000000001208000-memory.dmp

Filesize
288KB

Download
memory/1964-102-0x00000000011C0000-0x0000000001208000-memory.dmp

Filesize
288KB

Download
memory/1964-103-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/2012-118-0x00000000011C0000-0x0000000001208000-memory.dmp

Filesize
288KB

Download