Analysis

  • max time kernel
    143s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 14:26

General

  • Target

    CERTIFICADO TITULARIDAD.exe

  • Size

    573KB

  • MD5

    597971be325bbba1df725a7c101a4c58

  • SHA1

    90e6b7d6c632cc6fb0d5641ec9b987d5e3387397

  • SHA256

    535d29bedc8c720ed7daaeb5e8d79c650b21664d72bad77106eb518975be223b

  • SHA512

    ca6f8eab690ab14fcabb7571deba25edeac92bc0167df73607effeec9f1eb680034969b1feda6d62a6002bbea100a4876800bef1d5058033bc7642fc664cf7bb

  • SSDEEP

    12288:bXjIKeMQ2PATRg+s/iJplEElhvfTsjzMw1LwKpmkz:bXjIKRQFRC/yTEELD81cCtz

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot8148338634:AAFvLNrhxaF7bMPzQMLbUnueRMJvDIi5kcU/sendMessage?chat_id=7698865320

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Vipkeylogger family
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CERTIFICADO TITULARIDAD.exe
    "C:\Users\Admin\AppData\Local\Temp\CERTIFICADO TITULARIDAD.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3552
    • C:\Users\Admin\AppData\Local\Temp\CERTIFICADO TITULARIDAD.exe
      "C:\Users\Admin\AppData\Local\Temp\CERTIFICADO TITULARIDAD.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:4836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsv7C16.tmp\System.dll

    Filesize

    12KB

    MD5

    4add245d4ba34b04f213409bfe504c07

    SHA1

    ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

    SHA256

    9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

    SHA512

    1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

  • memory/3552-11-0x0000000077A11000-0x0000000077B31000-memory.dmp

    Filesize

    1.1MB

  • memory/3552-13-0x0000000074875000-0x0000000074876000-memory.dmp

    Filesize

    4KB

  • memory/3552-12-0x0000000077A11000-0x0000000077B31000-memory.dmp

    Filesize

    1.1MB

  • memory/4836-14-0x0000000077A11000-0x0000000077B31000-memory.dmp

    Filesize

    1.1MB

  • memory/4836-15-0x0000000077A98000-0x0000000077A99000-memory.dmp

    Filesize

    4KB

  • memory/4836-16-0x0000000077AB5000-0x0000000077AB6000-memory.dmp

    Filesize

    4KB

  • memory/4836-29-0x0000000000460000-0x00000000016B4000-memory.dmp

    Filesize

    18.3MB

  • memory/4836-30-0x0000000077A11000-0x0000000077B31000-memory.dmp

    Filesize

    1.1MB

  • memory/4836-31-0x000000007290E000-0x000000007290F000-memory.dmp

    Filesize

    4KB

  • memory/4836-32-0x0000000000460000-0x00000000004A8000-memory.dmp

    Filesize

    288KB

  • memory/4836-33-0x00000000397F0000-0x0000000039D94000-memory.dmp

    Filesize

    5.6MB

  • memory/4836-34-0x0000000039600000-0x000000003969C000-memory.dmp

    Filesize

    624KB

  • memory/4836-35-0x0000000072900000-0x00000000730B0000-memory.dmp

    Filesize

    7.7MB

  • memory/4836-37-0x000000003A1E0000-0x000000003A3A2000-memory.dmp

    Filesize

    1.8MB

  • memory/4836-38-0x0000000039790000-0x00000000397E0000-memory.dmp

    Filesize

    320KB

  • memory/4836-39-0x000000007290E000-0x000000007290F000-memory.dmp

    Filesize

    4KB

  • memory/4836-40-0x0000000072900000-0x00000000730B0000-memory.dmp

    Filesize

    7.7MB

  • memory/4836-42-0x000000003A440000-0x000000003A4D2000-memory.dmp

    Filesize

    584KB

  • memory/4836-43-0x000000003A510000-0x000000003A51A000-memory.dmp

    Filesize

    40KB