Analysis

  • max time kernel
    133s
  • max time network
    203s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-10-2024 15:18

General

  • Target

    PIOE56709876780002.exe

  • Size

    1.2MB

  • MD5

    ea3273984038ab81206e74dcf5c3f04e

  • SHA1

    4cfedc14c31c4364382bf2865a14f82f3d2188db

  • SHA256

    68a1fa9a0a9dc5fbd2746b1103dc4ced27824bf12d99c50eedad5b19a3f640de

  • SHA512

    73d917ec4226de83d4b64e90d1d13243092ab21f43526bba9fbff27674640f2efb92462ba61ada50c9467501cbc12d2e7073a2c59e4b076a378f623430ff0796

  • SSDEEP

    24576:5fmMv6Ckr7Mny5QtMdiJJCtLxLe6aiCH2aE:53v+7/5QtMDLheMY2/

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.vvtrade.vn
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    qVyP6qyv6MQCmZJBRs4t

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendMessage?chat_id=6443825857

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PIOE56709876780002.exe
    "C:\Users\Admin\AppData\Local\Temp\PIOE56709876780002.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Users\Admin\AppData\Local\harrowment\gunfights.exe
      "C:\Users\Admin\AppData\Local\Temp\PIOE56709876780002.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4904
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\PIOE56709876780002.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\antiprimer

    Filesize

    203KB

    MD5

    43b02edca7062d44acd3fd8f42d5078b

    SHA1

    75cf74ef3873aba176d9c7ba3deedb27f5cb699e

    SHA256

    991de88756301141788f3728735c42d7ab6dd479abd59b3ffb0b3fe81f2e45d5

    SHA512

    36a43298faf48d25f20ff22a1e456c928e0353843008bc70cc1412d5ea77d2f9cc3b157540b36d5139d179ea3388be38350a2c10e51af813b48dd8764c4f785f

  • C:\Users\Admin\AppData\Local\harrowment\gunfights.exe

    Filesize

    1.2MB

    MD5

    ea3273984038ab81206e74dcf5c3f04e

    SHA1

    4cfedc14c31c4364382bf2865a14f82f3d2188db

    SHA256

    68a1fa9a0a9dc5fbd2746b1103dc4ced27824bf12d99c50eedad5b19a3f640de

    SHA512

    73d917ec4226de83d4b64e90d1d13243092ab21f43526bba9fbff27674640f2efb92462ba61ada50c9467501cbc12d2e7073a2c59e4b076a378f623430ff0796

  • memory/2716-18-0x0000000005C10000-0x00000000061B4000-memory.dmp

    Filesize

    5.6MB

  • memory/2716-19-0x00000000056C0000-0x000000000570E000-memory.dmp

    Filesize

    312KB

  • memory/2716-12-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

  • memory/2716-14-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

  • memory/2716-15-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

  • memory/2716-13-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

  • memory/2716-16-0x000000007377E000-0x000000007377F000-memory.dmp

    Filesize

    4KB

  • memory/2716-17-0x0000000005600000-0x0000000005650000-memory.dmp

    Filesize

    320KB

  • memory/2716-27-0x00000000069A0000-0x00000000069AA000-memory.dmp

    Filesize

    40KB

  • memory/2716-26-0x0000000006C20000-0x0000000006CB2000-memory.dmp

    Filesize

    584KB

  • memory/2716-20-0x00000000057B0000-0x000000000584C000-memory.dmp

    Filesize

    624KB

  • memory/2716-21-0x00000000069B0000-0x0000000006B72000-memory.dmp

    Filesize

    1.8MB

  • memory/2716-22-0x0000000006850000-0x00000000068A0000-memory.dmp

    Filesize

    320KB

  • memory/2716-23-0x00000000070B0000-0x00000000075DC000-memory.dmp

    Filesize

    5.2MB

  • memory/2716-24-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

  • memory/2716-25-0x000000007377E000-0x000000007377F000-memory.dmp

    Filesize

    4KB

  • memory/4904-10-0x0000000003EC0000-0x00000000042C0000-memory.dmp

    Filesize

    4.0MB

  • memory/4944-2-0x00000000042B0000-0x00000000046B0000-memory.dmp

    Filesize

    4.0MB