Analysis
-
max time kernel
119s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 03:11
Static task
static1
Behavioral task
behavioral1
Sample
QTE070624.scr
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
QTE070624.scr
Resource
win10v2004-20240802-en
General
-
Target
QTE070624.scr
-
Size
690KB
-
MD5
ef321f0fca2075c4f5157490e4c4d779
-
SHA1
ad662ef5ca396da788abefbe8efe773f2a4b9c0e
-
SHA256
b40673c42c88df884d3931e1c3c45a273ca2c205ce13efc989ad8d84aeaa78fa
-
SHA512
28bf8a2a39e254fc92fcaf8db563f3ca40912ef8aef7d3daf3ac853af4cf78a764812d7c4d621b865a1492adb0ad433a8f103fd5760e1d8967e48dc88bc54320
-
SSDEEP
12288:qVVAYO4Zn/f+p9jA3bHcBFxe58MVTTh/u+Ol61Rq3w:ceCn/4A3IBer5dVa0q
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.al-subai.com - Port:
587 - Username:
[email protected] - Password:
information12 - Email To:
[email protected]
https://api.telegram.org/bot7236590670:AAEZk9ec6tcUIipI8D5VK8zyHeQjcafFyOY/sendMessage?chat_id=2052461776
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2708 set thread context of 2648 2708 QTE070624.scr 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QTE070624.scr -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2708 QTE070624.scr 2708 QTE070624.scr 2648 RegSvcs.exe 2648 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2708 QTE070624.scr Token: SeDebugPrivilege 2648 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2648 2708 QTE070624.scr 30 PID 2708 wrote to memory of 2648 2708 QTE070624.scr 30 PID 2708 wrote to memory of 2648 2708 QTE070624.scr 30 PID 2708 wrote to memory of 2648 2708 QTE070624.scr 30 PID 2708 wrote to memory of 2648 2708 QTE070624.scr 30 PID 2708 wrote to memory of 2648 2708 QTE070624.scr 30 PID 2708 wrote to memory of 2648 2708 QTE070624.scr 30 PID 2708 wrote to memory of 2648 2708 QTE070624.scr 30 PID 2708 wrote to memory of 2648 2708 QTE070624.scr 30 PID 2708 wrote to memory of 2648 2708 QTE070624.scr 30 PID 2708 wrote to memory of 2648 2708 QTE070624.scr 30 PID 2708 wrote to memory of 2648 2708 QTE070624.scr 30 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\QTE070624.scr"C:\Users\Admin\AppData\Local\Temp\QTE070624.scr" /S1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2648
-