Analysis
-
max time kernel
136s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2024, 15:25
Static task
static1
Behavioral task
behavioral1
Sample
7441ee61db5f1ca3b26cf09df0763fed9f959b30970be46497e17f8470cb57a6.vbs
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
7441ee61db5f1ca3b26cf09df0763fed9f959b30970be46497e17f8470cb57a6.vbs
Resource
win10v2004-20240802-en
General
-
Target
7441ee61db5f1ca3b26cf09df0763fed9f959b30970be46497e17f8470cb57a6.vbs
-
Size
9KB
-
MD5
11a8dbecbeb35ba5652b8fd4a9cefc9d
-
SHA1
8ec32ebe929a907ce8c19433e5c5a6f48f7639c1
-
SHA256
7441ee61db5f1ca3b26cf09df0763fed9f959b30970be46497e17f8470cb57a6
-
SHA512
48dc0edf68d4a1f9d70a348a50aa93f8c42928a44a76709a34c641f8a04d3d97ed1fa98ac8aeab2d0ee41588597960ff81109e6e408503d3c4bd7ea96d4d5450
-
SSDEEP
48:FeuekJeueheueRFF0euejzFF1Le8m3eNeueo:0jkAjYjbjM8mO8jo
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
lyao lcfc jjdk kszy - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 3176 WScript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 2 IoCs
pid Process 1388 PbsonX.exe 3000 PbsonX.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PbsonX.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PbsonX.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PbsonX.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PbsonX.exe" PbsonX.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Service.exe" PbsonX.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 31 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1388 set thread context of 3000 1388 PbsonX.exe 97 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PbsonX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PbsonX.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings WScript.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3000 PbsonX.exe 3000 PbsonX.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3000 PbsonX.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 3176 wrote to memory of 4048 3176 WScript.exe 95 PID 3176 wrote to memory of 4048 3176 WScript.exe 95 PID 4048 wrote to memory of 1388 4048 WScript.exe 96 PID 4048 wrote to memory of 1388 4048 WScript.exe 96 PID 4048 wrote to memory of 1388 4048 WScript.exe 96 PID 1388 wrote to memory of 3000 1388 PbsonX.exe 97 PID 1388 wrote to memory of 3000 1388 PbsonX.exe 97 PID 1388 wrote to memory of 3000 1388 PbsonX.exe 97 PID 1388 wrote to memory of 3000 1388 PbsonX.exe 97 PID 1388 wrote to memory of 3000 1388 PbsonX.exe 97 PID 1388 wrote to memory of 3000 1388 PbsonX.exe 97 PID 1388 wrote to memory of 3000 1388 PbsonX.exe 97 PID 1388 wrote to memory of 3000 1388 PbsonX.exe 97 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PbsonX.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PbsonX.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7441ee61db5f1ca3b26cf09df0763fed9f959b30970be46497e17f8470cb57a6.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MKLTPZ.js"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Users\Admin\AppData\Local\Temp\PbsonX.exe"C:\Users\Admin\AppData\Local\Temp\PbsonX.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Users\Admin\AppData\Local\Temp\PbsonX.exe"C:\Users\Admin\AppData\Local\Temp\PbsonX.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3000
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
520B
MD503febbff58da1d3318c31657d89c8542
SHA1c9e017bd9d0a4fe533795b227c855935d86c2092
SHA2565164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4
SHA5123750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3
-
Filesize
6.6MB
MD5ea57ef071f46a17df4b8976911510a85
SHA17ddaf13fcdf13173034c8e66ef8b49aef3fd6a8d
SHA256aa79b39b43a7be8f342672a9b88fe35f2eff99c0088cf05acde9f5a9cec1bfc0
SHA512f451352f8e6950d1403039e1b4ce3f8de3546179244caff7891d67c2c4f6a72228f6d14f6ec2fcab7c724f2d503c34897a7a71bfa306b0881f21faab4b553cee
-
Filesize
287KB
MD5c7d1736b0a9f204446af8c5eb85a93bd
SHA1a0b2bf664b02d76153c272318cfbdde300ca921a
SHA256c2e3de7bf895dda2bf0d46057acc39aabf827d2c3599bc0f7ab3e6e05a0b3666
SHA5124be6ede7c2de317e0beb151f9e3fbc92a3c7e893aa73c2e3cf12ea5c33498e0c13b987090d31915b40f7891d6e33d7e21f96e8cba6842d3235fc0e306e619ea5