Malware Analysis Report

2024-11-13 15:33

Sample ID 241003-nabd8s1ape
Target ae08ea78ffecba73bdcc7f7f7273e7dc7b2c0ed119567941ace1e9c88e502224
SHA256 ae08ea78ffecba73bdcc7f7f7273e7dc7b2c0ed119567941ace1e9c88e502224
Tags
vipkeylogger collection discovery keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ae08ea78ffecba73bdcc7f7f7273e7dc7b2c0ed119567941ace1e9c88e502224

Threat Level: Known bad

The file ae08ea78ffecba73bdcc7f7f7273e7dc7b2c0ed119567941ace1e9c88e502224 was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection discovery keylogger spyware stealer

VIPKeylogger

Executes dropped EXE

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Loads dropped DLL

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Browser Information Discovery

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-03 11:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-03 11:11

Reported

2024-10-03 11:13

Platform

win7-20240708-en

Max time kernel

117s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03_10_2024_Dönemi_MEVDUAT Ekstre Bilgiler.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\03_10_2024_Dönemi_MEVDUAT Ekstre Bilgiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\03_10_2024_Dönemi_MEVDUAT Ekstre Bilgiler.exe

"C:\Users\Admin\AppData\Local\Temp\03_10_2024_Dönemi_MEVDUAT Ekstre Bilgiler.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs

MD5 99b17143c77785dec72b12bf9fde7389
SHA1 fe803b2b32e187644433795fd26798122dc284fe
SHA256 e5c84ef4a1599f6f8130f70109bba6e6ba04439d10601c06834e36d31012f8e1
SHA512 49282594bde69abe29c01f866371dbb0b3eb2b46c6108a1e86e25a612afed4d74aa92ed930cde0c19c1696602730ac2df38b8dd3f4798eb763ade9c1c2ab2e4d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe

MD5 f01725be4af17d500bf5121780b3d304
SHA1 4ba42ced4db6a5173ece265424b26b32ececbbd6
SHA256 a6d95538d1d2f4031e10ff3a1258400a3f471fe64e14ff2dc9808c28334d0cea
SHA512 68d39578c162f03c64617b82d8c242afb8278fa31476e116a29c83138fc804d75aefffe7e956ba8ffe6d5b2253f83d704212a166df1dc57e58b502fcdfdbed26

memory/2060-10-0x0000000000200000-0x000000000024C000-memory.dmp

memory/2060-11-0x00000000021D0000-0x000000000221A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-03 11:11

Reported

2024-10-03 11:13

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03_10_2024_Dönemi_MEVDUAT Ekstre Bilgiler.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\03_10_2024_Dönemi_MEVDUAT Ekstre Bilgiler.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\03_10_2024_Dönemi_MEVDUAT Ekstre Bilgiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\03_10_2024_Dönemi_MEVDUAT Ekstre Bilgiler.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\03_10_2024_Dönemi_MEVDUAT Ekstre Bilgiler.exe

"C:\Users\Admin\AppData\Local\Temp\03_10_2024_Dönemi_MEVDUAT Ekstre Bilgiler.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 8.8.8.8:53 242.44.101.158.in-addr.arpa udp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 134.177.67.172.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs

MD5 99b17143c77785dec72b12bf9fde7389
SHA1 fe803b2b32e187644433795fd26798122dc284fe
SHA256 e5c84ef4a1599f6f8130f70109bba6e6ba04439d10601c06834e36d31012f8e1
SHA512 49282594bde69abe29c01f866371dbb0b3eb2b46c6108a1e86e25a612afed4d74aa92ed930cde0c19c1696602730ac2df38b8dd3f4798eb763ade9c1c2ab2e4d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe

MD5 f01725be4af17d500bf5121780b3d304
SHA1 4ba42ced4db6a5173ece265424b26b32ececbbd6
SHA256 a6d95538d1d2f4031e10ff3a1258400a3f471fe64e14ff2dc9808c28334d0cea
SHA512 68d39578c162f03c64617b82d8c242afb8278fa31476e116a29c83138fc804d75aefffe7e956ba8ffe6d5b2253f83d704212a166df1dc57e58b502fcdfdbed26

memory/3052-9-0x000001FF455D0000-0x000001FF4561C000-memory.dmp

memory/3052-10-0x0000023FDB9F0000-0x0000023FDBA3A000-memory.dmp

memory/3052-11-0x0000023FF4860000-0x0000023FF4A22000-memory.dmp

memory/3052-12-0x0000023FF4690000-0x0000023FF46E0000-memory.dmp