vkeylogger | 1d4bf0958c9382e0ab0ee9dc4240fd01aa6c17b045f60a5fbe0a92663ccb875c

General

Target

c40967960f1817c1458a587cdab9e3a2.exe
Size

189KB
MD5

c40967960f1817c1458a587cdab9e3a2
SHA1

0f7fd80ae64aa53afae14571c7ee47a159a33bbc
SHA256

1d4bf0958c9382e0ab0ee9dc4240fd01aa6c17b045f60a5fbe0a92663ccb875c
SHA512

8ec11c41deccaa9ba05eee5ed3b3fc017035310347b47fae9ec44534ce83cca5df74d00c520d30b4357066284982753b11ecb527a5ce163896e4c78b6d706562

Score

10^/10

vkeylogger keylogger persistence stealer

Malware Config

Signatures

VKeylogger
A keylogger first seen in Nov 2020.
stealer keylogger vkeylogger

VKeylogger Payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/556-135-0x0000000000B70000-0x0000000000B9F000-memory.dmp	family_vkeylogger
behavioral2/memory/1264-137-0x0000000000400000-0x000000000040F000-memory.dmp	family_vkeylogger
behavioral2/memory/1264-138-0x0000000000400000-0x000000000040F000-memory.dmp	family_vkeylogger
behavioral2/memory/2340-141-0x0000000000B70000-0x0000000000B9F000-memory.dmp	family_vkeylogger
behavioral2/memory/3016-143-0x0000000000400000-0x000000000040F000-memory.dmp	family_vkeylogger
behavioral2/memory/2392-144-0x0000000000800000-0x000000000080F000-memory.dmp	family_vkeylogger
behavioral2/memory/2892-145-0x0000000001090000-0x000000000109F000-memory.dmp	family_vkeylogger

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdates = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c40967960f1817c1458a587cdab9e3a2.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeApplication = "C:\\Windows\\system32\\mshta.exe javascript:x=new%20ActiveXObject(\"wscript.shell\");v=x.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\SMSvcHost\\\\ComponentID\");eval(v);"	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

c40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exe

description	pid	process	target process
PID 556 set thread context of 1264	556	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 2340 set thread context of 3016	2340	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1264 set thread context of 2392	1264	c40967960f1817c1458a587cdab9e3a2.exe	explorer.exe
PID 3016 set thread context of 2892	3016	c40967960f1817c1458a587cdab9e3a2.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

c40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exe

pid	process
556	c40967960f1817c1458a587cdab9e3a2.exe
556	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

c40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exeexplorer.exe

pid process

1264 c40967960f1817c1458a587cdab9e3a2.exe
3016 c40967960f1817c1458a587cdab9e3a2.exe
2392 explorer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

explorer.exe

pid process

2392 explorer.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

2392 explorer.exe

pid	process
1264	c40967960f1817c1458a587cdab9e3a2.exe
3016	c40967960f1817c1458a587cdab9e3a2.exe
2392	explorer.exe

pid	process
2392	explorer.exe

pid	process
2392	explorer.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

c40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exec40967960f1817c1458a587cdab9e3a2.exe

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:556

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2392

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
4⤵
PID:2892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/556-134-0x00000000779A0000-0x0000000077B43000-memory.dmp

Filesize
1.6MB

Download
memory/556-135-0x0000000000B70000-0x0000000000B9F000-memory.dmp

Filesize
188KB

Download
memory/556-136-0x00000000779A0000-0x0000000077B43000-memory.dmp

Filesize
1.6MB

Download
memory/1264-137-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1264-138-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2340-139-0x00000000779A0000-0x0000000077B43000-memory.dmp

Filesize
1.6MB

Download
memory/2340-141-0x0000000000B70000-0x0000000000B9F000-memory.dmp

Filesize
188KB

Download
memory/2340-142-0x00000000779A0000-0x0000000077B43000-memory.dmp

Filesize
1.6MB

Download
memory/2392-144-0x0000000000800000-0x000000000080F000-memory.dmp

Filesize
60KB

Download
memory/2892-145-0x0000000001090000-0x000000000109F000-memory.dmp

Filesize
60KB

Download
memory/3016-143-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

description	pid	process	target process
PID 556 wrote to memory of 1264	556	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 556 wrote to memory of 1264	556	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 556 wrote to memory of 1264	556	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 556 wrote to memory of 1264	556	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 556 wrote to memory of 1264	556	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 556 wrote to memory of 1264	556	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 556 wrote to memory of 1264	556	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 556 wrote to memory of 1264	556	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 556 wrote to memory of 1264	556	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 556 wrote to memory of 1264	556	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 556 wrote to memory of 2340	556	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 556 wrote to memory of 2340	556	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 556 wrote to memory of 2340	556	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 2340 wrote to memory of 3016	2340	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 2340 wrote to memory of 3016	2340	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 2340 wrote to memory of 3016	2340	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 2340 wrote to memory of 3016	2340	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 2340 wrote to memory of 3016	2340	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 2340 wrote to memory of 3016	2340	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 2340 wrote to memory of 3016	2340	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 2340 wrote to memory of 3016	2340	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 2340 wrote to memory of 3016	2340	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 2340 wrote to memory of 3016	2340	c40967960f1817c1458a587cdab9e3a2.exe	c40967960f1817c1458a587cdab9e3a2.exe
PID 1264 wrote to memory of 2392	1264	c40967960f1817c1458a587cdab9e3a2.exe	explorer.exe
PID 1264 wrote to memory of 2392	1264	c40967960f1817c1458a587cdab9e3a2.exe	explorer.exe
PID 1264 wrote to memory of 2392	1264	c40967960f1817c1458a587cdab9e3a2.exe	explorer.exe
PID 3016 wrote to memory of 2892	3016	c40967960f1817c1458a587cdab9e3a2.exe	explorer.exe
PID 3016 wrote to memory of 2892	3016	c40967960f1817c1458a587cdab9e3a2.exe	explorer.exe
PID 3016 wrote to memory of 2892	3016	c40967960f1817c1458a587cdab9e3a2.exe	explorer.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads