Analysis
-
max time kernel
121s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 03:13
Behavioral task
behavioral1
Sample
fatura.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
fatura.exe
Resource
win10v2004-20241007-en
General
-
Target
fatura.exe
-
Size
929KB
-
MD5
49e9e776c6f5d00a090adbd8814ffdc7
-
SHA1
4ea5b8d7b7beb2ad75bbe583c4658093c4ab12bd
-
SHA256
ef25dd02f39549f22a2272768115e7704ce4fd20e305b7aa16f9906b6688e903
-
SHA512
06e761bafcf3aa68a739ec24f17db1f9d1a36f59b940c8de12fd388dbd871dd2ab443a60c7723cd77ec1f52859cef469d9493759acc8acc1cfe1c471bf06f8cd
-
SSDEEP
24576:L4GHnhIzOa5WPGzwQA+jLgNK5O5Y1fmdruuAF:0shdaYP3t+g3d
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot6820629737:AAGJ8tOkoD9jFHkd_L1kG1ntQ1J6zLhFsMc/sendMessage?chat_id=6783205225
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Drops startup file 1 IoCs
Processes:
murkest.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\murkest.vbs murkest.exe -
Executes dropped EXE 1 IoCs
Processes:
murkest.exepid process 2084 murkest.exe -
Loads dropped DLL 1 IoCs
Processes:
fatura.exepid process 1528 fatura.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1528-11-0x0000000000E50000-0x000000000104D000-memory.dmp autoit_exe behavioral1/memory/2084-23-0x0000000000CF0000-0x0000000000EED000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
murkest.exedescription pid process target process PID 2084 set thread context of 2340 2084 murkest.exe RegSvcs.exe -
Processes:
resource yara_rule behavioral1/memory/1528-0-0x0000000000E50000-0x000000000104D000-memory.dmp upx \Users\Admin\AppData\Local\Keily\murkest.exe upx behavioral1/memory/2084-12-0x0000000000CF0000-0x0000000000EED000-memory.dmp upx behavioral1/memory/1528-11-0x0000000000E50000-0x000000000104D000-memory.dmp upx behavioral1/memory/1528-10-0x0000000002EE0000-0x00000000030DD000-memory.dmp upx behavioral1/memory/2084-23-0x0000000000CF0000-0x0000000000EED000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
fatura.exemurkest.exeRegSvcs.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fatura.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language murkest.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 2340 RegSvcs.exe 2340 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
murkest.exepid process 2084 murkest.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2340 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
fatura.exemurkest.exedescription pid process target process PID 1528 wrote to memory of 2084 1528 fatura.exe murkest.exe PID 1528 wrote to memory of 2084 1528 fatura.exe murkest.exe PID 1528 wrote to memory of 2084 1528 fatura.exe murkest.exe PID 1528 wrote to memory of 2084 1528 fatura.exe murkest.exe PID 2084 wrote to memory of 2340 2084 murkest.exe RegSvcs.exe PID 2084 wrote to memory of 2340 2084 murkest.exe RegSvcs.exe PID 2084 wrote to memory of 2340 2084 murkest.exe RegSvcs.exe PID 2084 wrote to memory of 2340 2084 murkest.exe RegSvcs.exe PID 2084 wrote to memory of 2340 2084 murkest.exe RegSvcs.exe PID 2084 wrote to memory of 2340 2084 murkest.exe RegSvcs.exe PID 2084 wrote to memory of 2340 2084 murkest.exe RegSvcs.exe PID 2084 wrote to memory of 2340 2084 murkest.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fatura.exe"C:\Users\Admin\AppData\Local\Temp\fatura.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Local\Keily\murkest.exe"C:\Users\Admin\AppData\Local\Temp\fatura.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\fatura.exe"3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2340
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
243KB
MD5f6825c10ccd485c6f4450b6099362ced
SHA162110f69007850788fc0f49bb0bbb0f9f210dff4
SHA2561880f1e63cb2c4bda5b3cd72369213209eb4e95ff473b1b6b78788109c85570c
SHA512e7e99959e4646bca538ef1ead3ca4a8a9c059c5698e3b36c1fafba6894ba52cc73c99d96f3b568bf1d27bc5f40596f07814d71110703657c8f20950199c51942
-
Filesize
929KB
MD549e9e776c6f5d00a090adbd8814ffdc7
SHA14ea5b8d7b7beb2ad75bbe583c4658093c4ab12bd
SHA256ef25dd02f39549f22a2272768115e7704ce4fd20e305b7aa16f9906b6688e903
SHA51206e761bafcf3aa68a739ec24f17db1f9d1a36f59b940c8de12fd388dbd871dd2ab443a60c7723cd77ec1f52859cef469d9493759acc8acc1cfe1c471bf06f8cd