Analysis
-
max time kernel
31s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 01:39
Static task
static1
Behavioral task
behavioral1
Sample
7441ee61db5f1ca3b26cf09df0763fed9f959b30970be46497e17f8470cb57a6.vbs
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
7441ee61db5f1ca3b26cf09df0763fed9f959b30970be46497e17f8470cb57a6.vbs
Resource
win10v2004-20240802-en
General
-
Target
7441ee61db5f1ca3b26cf09df0763fed9f959b30970be46497e17f8470cb57a6.vbs
-
Size
9KB
-
MD5
11a8dbecbeb35ba5652b8fd4a9cefc9d
-
SHA1
8ec32ebe929a907ce8c19433e5c5a6f48f7639c1
-
SHA256
7441ee61db5f1ca3b26cf09df0763fed9f959b30970be46497e17f8470cb57a6
-
SHA512
48dc0edf68d4a1f9d70a348a50aa93f8c42928a44a76709a34c641f8a04d3d97ed1fa98ac8aeab2d0ee41588597960ff81109e6e408503d3c4bd7ea96d4d5450
-
SSDEEP
48:FeuekJeueheueRFF0euejzFF1Le8m3eNeueo:0jkAjYjbjM8mO8jo
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
lyao lcfc jjdk kszy - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2348 WScript.exe -
Executes dropped EXE 2 IoCs
pid Process 2804 PbsonX.exe 2688 PbsonX.exe -
Loads dropped DLL 1 IoCs
pid Process 2804 PbsonX.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PbsonX.exe Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PbsonX.exe Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PbsonX.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PbsonX.exe" PbsonX.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Service.exe" PbsonX.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2804 set thread context of 2688 2804 PbsonX.exe 32 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PbsonX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PbsonX.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2688 PbsonX.exe 2688 PbsonX.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2688 PbsonX.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2672 2348 WScript.exe 30 PID 2348 wrote to memory of 2672 2348 WScript.exe 30 PID 2348 wrote to memory of 2672 2348 WScript.exe 30 PID 2672 wrote to memory of 2804 2672 WScript.exe 31 PID 2672 wrote to memory of 2804 2672 WScript.exe 31 PID 2672 wrote to memory of 2804 2672 WScript.exe 31 PID 2672 wrote to memory of 2804 2672 WScript.exe 31 PID 2804 wrote to memory of 2688 2804 PbsonX.exe 32 PID 2804 wrote to memory of 2688 2804 PbsonX.exe 32 PID 2804 wrote to memory of 2688 2804 PbsonX.exe 32 PID 2804 wrote to memory of 2688 2804 PbsonX.exe 32 PID 2804 wrote to memory of 2688 2804 PbsonX.exe 32 PID 2804 wrote to memory of 2688 2804 PbsonX.exe 32 PID 2804 wrote to memory of 2688 2804 PbsonX.exe 32 PID 2804 wrote to memory of 2688 2804 PbsonX.exe 32 PID 2804 wrote to memory of 2688 2804 PbsonX.exe 32 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PbsonX.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PbsonX.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7441ee61db5f1ca3b26cf09df0763fed9f959b30970be46497e17f8470cb57a6.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MKLTPZ.js"2⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\PbsonX.exe"C:\Users\Admin\AppData\Local\Temp\PbsonX.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\PbsonX.exe"C:\Users\Admin\AppData\Local\Temp\PbsonX.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2688
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.6MB
MD5ea57ef071f46a17df4b8976911510a85
SHA17ddaf13fcdf13173034c8e66ef8b49aef3fd6a8d
SHA256aa79b39b43a7be8f342672a9b88fe35f2eff99c0088cf05acde9f5a9cec1bfc0
SHA512f451352f8e6950d1403039e1b4ce3f8de3546179244caff7891d67c2c4f6a72228f6d14f6ec2fcab7c724f2d503c34897a7a71bfa306b0881f21faab4b553cee
-
Filesize
287KB
MD5c7d1736b0a9f204446af8c5eb85a93bd
SHA1a0b2bf664b02d76153c272318cfbdde300ca921a
SHA256c2e3de7bf895dda2bf0d46057acc39aabf827d2c3599bc0f7ab3e6e05a0b3666
SHA5124be6ede7c2de317e0beb151f9e3fbc92a3c7e893aa73c2e3cf12ea5c33498e0c13b987090d31915b40f7891d6e33d7e21f96e8cba6842d3235fc0e306e619ea5