Analysis
-
max time kernel
120s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 10:53
Static task
static1
Behavioral task
behavioral1
Sample
ac79fa50576f1fc0ccd6305179fa9eb82cc5fec8710731dbae0f94424e34e396.vbs
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ac79fa50576f1fc0ccd6305179fa9eb82cc5fec8710731dbae0f94424e34e396.vbs
Resource
win10v2004-20240802-en
General
-
Target
ac79fa50576f1fc0ccd6305179fa9eb82cc5fec8710731dbae0f94424e34e396.vbs
-
Size
9KB
-
MD5
3f7809903fc3c0a98fcc472cab51af8b
-
SHA1
5028ee708574247249a8f9c77e6056e5e8265626
-
SHA256
ac79fa50576f1fc0ccd6305179fa9eb82cc5fec8710731dbae0f94424e34e396
-
SHA512
b45cfa3e08872f6856b98665018b0e53504894570a9f8168d2cf391bbc1d9ccb04f6052954a6364d7543e5b80e096e42ffa5ff331c9b8bb06a1a327c82a5bb3a
-
SSDEEP
24:35sNhG5sFKhG5sJ9hWOsNh3sf/syoWo+pJjx/LT1DuOsFKh3sf/syoWo+SxLeDuA:fLTY4twXbb5+eBAB6bubs
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
lyao lcfc jjdk kszy - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 2304 WScript.exe -
Executes dropped EXE 2 IoCs
pid Process 3048 etBlpvr.exe 2588 etBlpvr.exe -
Loads dropped DLL 1 IoCs
pid Process 3048 etBlpvr.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 etBlpvr.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 etBlpvr.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 etBlpvr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etBlpvr.exe" etBlpvr.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Service.exe" etBlpvr.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3048 set thread context of 2588 3048 etBlpvr.exe 34 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etBlpvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etBlpvr.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2588 etBlpvr.exe 2588 etBlpvr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2588 etBlpvr.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2840 2304 WScript.exe 32 PID 2304 wrote to memory of 2840 2304 WScript.exe 32 PID 2304 wrote to memory of 2840 2304 WScript.exe 32 PID 2840 wrote to memory of 3048 2840 WScript.exe 33 PID 2840 wrote to memory of 3048 2840 WScript.exe 33 PID 2840 wrote to memory of 3048 2840 WScript.exe 33 PID 2840 wrote to memory of 3048 2840 WScript.exe 33 PID 3048 wrote to memory of 2588 3048 etBlpvr.exe 34 PID 3048 wrote to memory of 2588 3048 etBlpvr.exe 34 PID 3048 wrote to memory of 2588 3048 etBlpvr.exe 34 PID 3048 wrote to memory of 2588 3048 etBlpvr.exe 34 PID 3048 wrote to memory of 2588 3048 etBlpvr.exe 34 PID 3048 wrote to memory of 2588 3048 etBlpvr.exe 34 PID 3048 wrote to memory of 2588 3048 etBlpvr.exe 34 PID 3048 wrote to memory of 2588 3048 etBlpvr.exe 34 PID 3048 wrote to memory of 2588 3048 etBlpvr.exe 34 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 etBlpvr.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 etBlpvr.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac79fa50576f1fc0ccd6305179fa9eb82cc5fec8710731dbae0f94424e34e396.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TMYEEL.js"2⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\etBlpvr.exe"C:\Users\Admin\AppData\Local\Temp\etBlpvr.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\etBlpvr.exe"C:\Users\Admin\AppData\Local\Temp\etBlpvr.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2588
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.4MB
MD5525c63b84040438a926c03de51181f31
SHA1fdf795b7188832cb229ca444aa77c518b989715e
SHA2565b194105df980d66491cfd936a281a50960e329bbced39a007a3cf004387027d
SHA512b9dd0eb9429ba7df2ce89283a914a03a0d55ec8bac5a5dc42a85572f86e9a28cd6487a8ab781a7abd7eb3086ae9481b6f884055d04fadc5cdd697317a7735002
-
Filesize
287KB
MD53a8eb21f2c8267b9c95008be2699d74e
SHA1c6ed2e44b0ee1ac2cfcdd399e19ef5702a79e1d6
SHA25610355924cb01387c2e5a9f33190f6b614433295d263c4917ec8c6a2b46c380ef
SHA5129673af2ad11ce600af090bbf4ccb35bd4e5bc4ff3846a50b3bec14703466ffaf020e80404e39ea7124ddcebcd15bee261376d014e3e4ec48eb9891d01e87c713