Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2024 06:07
Static task
static1
Behavioral task
behavioral1
Sample
Shave.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Shave.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
Shave.exe
-
Size
536KB
-
MD5
51000c141b602569cf44b0f8bec9ecb8
-
SHA1
d7b819dbc26b3e66c99d233c5c7fc86492e626dd
-
SHA256
5b19a26d6e86bbcd6d454baee6ae7c77f1c4ca6017ad965eb79098308346f383
-
SHA512
8b38516298e15002a228424f926552b9abc06fb7fb0da94d78a48fea4c0a861fc5bdbcdf9db733f9644a480b4099d237cd70531b8afa11879562d71dd7ee2283
-
SSDEEP
6144:9lgvTRHy2nGlwzQ7LA+CB+f6tb9PTPgN++6aCUYvIRN3JGrYJfXvk0OFP2lmBLoE:32EI+CnhxC+JaWSRlXMPL6TEHmd3ZhZ8
Malware Config
Extracted
Protocol: smtp- Host:
mail.cipmach.com - Port:
587 - Username:
[email protected] - Password:
mail@2019$
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.cipmach.com - Port:
587 - Username:
[email protected] - Password:
mail@2019$ - Email To:
[email protected]
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Loads dropped DLL 1 IoCs
pid Process 4080 Shave.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shave.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shave.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shave.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 4296 Shave.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4080 Shave.exe 4296 Shave.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4080 set thread context of 4296 4080 Shave.exe 87 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\resources\0409\slnger\barometerstandenes.san Shave.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shave.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shave.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4296 Shave.exe 4296 Shave.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4080 Shave.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4296 Shave.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4080 wrote to memory of 4296 4080 Shave.exe 87 PID 4080 wrote to memory of 4296 4080 Shave.exe 87 PID 4080 wrote to memory of 4296 4080 Shave.exe 87 PID 4080 wrote to memory of 4296 4080 Shave.exe 87 PID 4080 wrote to memory of 4296 4080 Shave.exe 87 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shave.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shave.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shave.exe"C:\Users\Admin\AppData\Local\Temp\Shave.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Users\Admin\AppData\Local\Temp\Shave.exe"C:\Users\Admin\AppData\Local\Temp\Shave.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4296
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD575ed96254fbf894e42058062b4b4f0d1
SHA1996503f1383b49021eb3427bc28d13b5bbd11977
SHA256a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA51258174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4