Analysis

  • max time kernel
    136s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/08/2024, 02:07

General

  • Target

    ac79fa50576f1fc0ccd6305179fa9eb82cc5fec8710731dbae0f94424e34e396.vbs

  • Size

    9KB

  • MD5

    3f7809903fc3c0a98fcc472cab51af8b

  • SHA1

    5028ee708574247249a8f9c77e6056e5e8265626

  • SHA256

    ac79fa50576f1fc0ccd6305179fa9eb82cc5fec8710731dbae0f94424e34e396

  • SHA512

    b45cfa3e08872f6856b98665018b0e53504894570a9f8168d2cf391bbc1d9ccb04f6052954a6364d7543e5b80e096e42ffa5ff331c9b8bb06a1a327c82a5bb3a

  • SSDEEP

    24:35sNhG5sFKhG5sJ9hWOsNh3sf/syoWo+pJjx/LT1DuOsFKh3sf/syoWo+SxLeDuA:fLTY4twXbb5+eBAB6bubs

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac79fa50576f1fc0ccd6305179fa9eb82cc5fec8710731dbae0f94424e34e396.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TMYEEL.js"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Users\Admin\AppData\Local\Temp\etBlpvr.exe
        "C:\Users\Admin\AppData\Local\Temp\etBlpvr.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2388
        • C:\Users\Admin\AppData\Local\Temp\etBlpvr.exe
          "C:\Users\Admin\AppData\Local\Temp\etBlpvr.exe"
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:1384

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\etBlpvr.exe.log

          Filesize

          520B

          MD5

          03febbff58da1d3318c31657d89c8542

          SHA1

          c9e017bd9d0a4fe533795b227c855935d86c2092

          SHA256

          5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4

          SHA512

          3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

        • C:\Users\Admin\AppData\Local\Temp\TMYEEL.js

          Filesize

          7.4MB

          MD5

          525c63b84040438a926c03de51181f31

          SHA1

          fdf795b7188832cb229ca444aa77c518b989715e

          SHA256

          5b194105df980d66491cfd936a281a50960e329bbced39a007a3cf004387027d

          SHA512

          b9dd0eb9429ba7df2ce89283a914a03a0d55ec8bac5a5dc42a85572f86e9a28cd6487a8ab781a7abd7eb3086ae9481b6f884055d04fadc5cdd697317a7735002

        • C:\Users\Admin\AppData\Local\Temp\etBlpvr.exe

          Filesize

          287KB

          MD5

          3a8eb21f2c8267b9c95008be2699d74e

          SHA1

          c6ed2e44b0ee1ac2cfcdd399e19ef5702a79e1d6

          SHA256

          10355924cb01387c2e5a9f33190f6b614433295d263c4917ec8c6a2b46c380ef

          SHA512

          9673af2ad11ce600af090bbf4ccb35bd4e5bc4ff3846a50b3bec14703466ffaf020e80404e39ea7124ddcebcd15bee261376d014e3e4ec48eb9891d01e87c713

        • memory/1384-19-0x0000000000400000-0x000000000044A000-memory.dmp

          Filesize

          296KB

        • memory/1384-24-0x0000000005590000-0x000000000562C000-memory.dmp

          Filesize

          624KB

        • memory/1384-25-0x0000000006C40000-0x0000000006E02000-memory.dmp

          Filesize

          1.8MB

        • memory/1384-26-0x0000000006AE0000-0x0000000006B30000-memory.dmp

          Filesize

          320KB

        • memory/1384-27-0x0000000006E10000-0x0000000006EA2000-memory.dmp

          Filesize

          584KB

        • memory/1384-28-0x0000000006BF0000-0x0000000006BFA000-memory.dmp

          Filesize

          40KB

        • memory/2388-16-0x0000000000670000-0x00000000006BE000-memory.dmp

          Filesize

          312KB

        • memory/2388-17-0x00000000055B0000-0x0000000005B54000-memory.dmp

          Filesize

          5.6MB

        • memory/2388-18-0x0000000002A70000-0x0000000002A78000-memory.dmp

          Filesize

          32KB