Overview

overview

10

Static

static

3

Scan- 0039...ip.exe

windows7-x64

10

Scan- 0039...ip.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/11/2024, 11:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Scan- 00399905 Payment slip.exe

  • Size

    932KB

  • MD5

    acf267b0d4419caff6a79c43e1711b33

  • SHA1

    eb9b5a73815bcf20a23d014d7623004dd06ca10d

  • SHA256

    680c2a3691dc7babcf16daad934a2fe8efabb3214bf36f60825b708c7f736015

  • SHA512

    9fa068f707c21bfaea4ee15a7c47a9992ac43d2fca8294038624964a150e0514eb6eb3133b77146fa531f67188d6e2a78543234ae81ffcfc4035aedc60141c8e

  • SSDEEP

    12288:e1AP1l8h+SBPc5BniqSAP3dt6IO7dLakiEZMSdAs3evICb1ycUpthh:3l8h+SBSiqSAP3dt6IO7Ti3Sdpq1ycQ

Score
10/10
vipkeyloggercollectiondiscoverykeyloggerspywarestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger
  • Vipkeylogger family
    vipkeylogger
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Scan- 00399905 Payment slip.exe
    "C:\Users\Admin\AppData\Local\Temp\Scan- 00399905 Payment slip.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Users\Admin\AppData\Local\Temp\Scan- 00399905 Payment slip.exe
      "C:\Users\Admin\AppData\Local\Temp\Scan- 00399905 Payment slip.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2456

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Scan- 00399905 Payment slip.exe.log
    Filesize

    1KB

    MD5

    7cad59aef5a93f093b6ba494f13f796f

    SHA1

    3cef97b77939bfc06dfd3946fc1a8cd159f67100

    SHA256

    1e1b444fe2d8772f6709b22b94bb5b0aa7fa590f6a693705d9bf1f2f71267a55

    SHA512

    8cedd03efec34c6226a01fd6b4831a689be16545ea6b849cd96f775e0722bfefd4b47f3dd8401d2080d341d4319f75995ece60de44352a1f86a2e5dc01e6210b

    Download Submit

  • memory/2456-12-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2456-20-0x0000000006B50000-0x0000000006BA0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2456-19-0x0000000006CB0000-0x0000000006E72000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2456-18-0x0000000075150000-0x0000000075900000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2456-17-0x0000000075150000-0x0000000075900000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2456-15-0x0000000075150000-0x0000000075900000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2764-10-0x0000000075150000-0x0000000075900000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2764-8-0x0000000006C40000-0x0000000006C5C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2764-9-0x000000007515E000-0x000000007515F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2764-0-0x000000007515E000-0x000000007515F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2764-11-0x0000000004F30000-0x0000000004FBC000-memory.dmp

    Filesize

    560KB

    Download

  • memory/2764-7-0x0000000006180000-0x000000000621C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2764-6-0x0000000005A90000-0x0000000005A9A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2764-5-0x0000000075150000-0x0000000075900000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2764-16-0x0000000075150000-0x0000000075900000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2764-4-0x00000000055D0000-0x0000000005924000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2764-3-0x0000000005530000-0x00000000055C2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2764-2-0x0000000005AE0000-0x0000000006084000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2764-1-0x00000000009E0000-0x0000000000ACE000-memory.dmp

    Filesize

    952KB

    Download