Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-11-2024 16:12
Static task
static1
Behavioral task
behavioral1
Sample
Fizetes_12112024,jpg.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Fizetes_12112024,jpg.exe
Resource
win10v2004-20241007-en
General
-
Target
Fizetes_12112024,jpg.exe
-
Size
777KB
-
MD5
82c3c2e621b2d98aceaa55163a9ae667
-
SHA1
2d84e77fe03a7977d32630af0a5dcc8fe011b916
-
SHA256
d7408be59e5c5ab5c3259aac689ec3be62f54b43b111cec6310efcf666571fa1
-
SHA512
65c847fab147ee188c1b012a58770b1284cdbd45e7710b8edc17fb4c451691fc4bfdf5b3ea8eb3a189fd4b78654336cf5851e9d8ec31c518a6ef3eef8aae83d9
-
SSDEEP
12288:ehkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aCZxHrPKIawhJk:uRmJkcoQricOIQxiZY1iaCZxHriIawfk
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.vagautocenter.nl - Port:
587 - Username:
[email protected] - Password:
[email protected] - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Fizetes_12112024,jpg.exedescription pid Process procid_target PID 2380 set thread context of 2092 2380 Fizetes_12112024,jpg.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2680 2092 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Fizetes_12112024,jpg.exeRegSvcs.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fizetes_12112024,jpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RegSvcs.exepid Process 2092 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Fizetes_12112024,jpg.exepid Process 2380 Fizetes_12112024,jpg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid Process Token: SeDebugPrivilege 2092 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Fizetes_12112024,jpg.exeRegSvcs.exedescription pid Process procid_target PID 2380 wrote to memory of 2092 2380 Fizetes_12112024,jpg.exe 30 PID 2380 wrote to memory of 2092 2380 Fizetes_12112024,jpg.exe 30 PID 2380 wrote to memory of 2092 2380 Fizetes_12112024,jpg.exe 30 PID 2380 wrote to memory of 2092 2380 Fizetes_12112024,jpg.exe 30 PID 2380 wrote to memory of 2092 2380 Fizetes_12112024,jpg.exe 30 PID 2380 wrote to memory of 2092 2380 Fizetes_12112024,jpg.exe 30 PID 2380 wrote to memory of 2092 2380 Fizetes_12112024,jpg.exe 30 PID 2380 wrote to memory of 2092 2380 Fizetes_12112024,jpg.exe 30 PID 2092 wrote to memory of 2680 2092 RegSvcs.exe 31 PID 2092 wrote to memory of 2680 2092 RegSvcs.exe 31 PID 2092 wrote to memory of 2680 2092 RegSvcs.exe 31 PID 2092 wrote to memory of 2680 2092 RegSvcs.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fizetes_12112024,jpg.exe"C:\Users\Admin\AppData\Local\Temp\Fizetes_12112024,jpg.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Fizetes_12112024,jpg.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 10723⤵
- Program crash
PID:2680
-
-