Analysis
-
max time kernel
297s -
max time network
278s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2024 16:32
Static task
static1
Behavioral task
behavioral1
Sample
Factura CLD6154.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Factura CLD6154.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
Factura CLD6154.exe
-
Size
782KB
-
MD5
df5e4c3fcbb003291a9799ac07c19718
-
SHA1
c73ba1d8e6e30a37cf4675d3204b15b75b330b26
-
SHA256
fd424c3fcd01bce1f07c8040bcf1c3683078c4b048528f76efc69b26b207e1a6
-
SHA512
f6bbac1abf087bcb4730e8281d07af8aa70c86b5c476338df58cb042ff6629bcfc51e57a2ed4f18f444c53a2f2f914e170b1a2e73161701db9bbf26b7b3cc3f9
-
SSDEEP
12288:I5gGipxk+Kugo1xj+ZY9SQ7ax6q+gdD3/86DtrmT9cPfRNLiyi7TRd8:5Giw+Jn9SQ5q+Y/gcHv+yId8
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7777204705:AAGdGJgXaEaWvE6yXv7RvWYjJkTQCsiDnJc/sendMessage?chat_id=7698865320
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Loads dropped DLL 1 IoCs
Processes:
Factura CLD6154.exepid process 5060 Factura CLD6154.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Factura CLD6154.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Factura CLD6154.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Factura CLD6154.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Factura CLD6154.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 54 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
Factura CLD6154.exepid process 4284 Factura CLD6154.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Factura CLD6154.exeFactura CLD6154.exepid process 5060 Factura CLD6154.exe 4284 Factura CLD6154.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Factura CLD6154.exedescription pid process target process PID 5060 set thread context of 4284 5060 Factura CLD6154.exe Factura CLD6154.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Factura CLD6154.exedescription ioc process File created C:\Program Files (x86)\rollerskater.lnk Factura CLD6154.exe File opened for modification C:\Program Files (x86)\rollerskater.lnk Factura CLD6154.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Factura CLD6154.exeFactura CLD6154.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Factura CLD6154.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Factura CLD6154.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Factura CLD6154.exepid process 4284 Factura CLD6154.exe 4284 Factura CLD6154.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Factura CLD6154.exepid process 5060 Factura CLD6154.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Factura CLD6154.exedescription pid process Token: SeDebugPrivilege 4284 Factura CLD6154.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Factura CLD6154.exedescription pid process target process PID 5060 wrote to memory of 4284 5060 Factura CLD6154.exe Factura CLD6154.exe PID 5060 wrote to memory of 4284 5060 Factura CLD6154.exe Factura CLD6154.exe PID 5060 wrote to memory of 4284 5060 Factura CLD6154.exe Factura CLD6154.exe PID 5060 wrote to memory of 4284 5060 Factura CLD6154.exe Factura CLD6154.exe PID 5060 wrote to memory of 4284 5060 Factura CLD6154.exe Factura CLD6154.exe -
outlook_office_path 1 IoCs
Processes:
Factura CLD6154.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Factura CLD6154.exe -
outlook_win_path 1 IoCs
Processes:
Factura CLD6154.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Factura CLD6154.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Factura CLD6154.exe"C:\Users\Admin\AppData\Local\Temp\Factura CLD6154.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\Factura CLD6154.exe"C:\Users\Admin\AppData\Local\Temp\Factura CLD6154.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4284
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5ee260c45e97b62a5e42f17460d406068
SHA1df35f6300a03c4d3d3bd69752574426296b78695
SHA256e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
SHA512a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3