Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 09:17
Static task
static1
Behavioral task
behavioral1
Sample
kelscrit.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
kelscrit.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
kelscrit.exe
-
Size
563KB
-
MD5
64ea70b77e9654021dfe4c5b42a788db
-
SHA1
ff668253991db29fa83a93a962654a2a13cc87ba
-
SHA256
919036bc72056762803c599929ee33811f1c9a13f55c571008b57b20b638c54b
-
SHA512
7ebdbe6ff9e14ec408f52611962af70f24136ee6976a4239f636971d778d9d3491188ccb18c5908f0c69bace9c115dc909a199bec9c74b44ada381c4f8a4429b
-
SSDEEP
12288:7fYfUlNHYh6qFkbpBOO64kfPZxIgL3lweEbH+aB:7fYMPYc/FHkfhxIgZQH9B
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot6358867316:AAGYz8F7DpACV8KuAbFAee27mS5P18ckXUM/sendMessage?chat_id=6361450335
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Loads dropped DLL 2 IoCs
pid Process 2808 kelscrit.exe 2808 kelscrit.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kelscrit.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kelscrit.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kelscrit.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 20 drive.google.com 21 drive.google.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 32 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 1788 kelscrit.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2808 kelscrit.exe 1788 kelscrit.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2808 set thread context of 1788 2808 kelscrit.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kelscrit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kelscrit.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1788 kelscrit.exe 1788 kelscrit.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2808 kelscrit.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1788 kelscrit.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2808 wrote to memory of 1788 2808 kelscrit.exe 91 PID 2808 wrote to memory of 1788 2808 kelscrit.exe 91 PID 2808 wrote to memory of 1788 2808 kelscrit.exe 91 PID 2808 wrote to memory of 1788 2808 kelscrit.exe 91 PID 2808 wrote to memory of 1788 2808 kelscrit.exe 91 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kelscrit.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kelscrit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\kelscrit.exe"C:\Users\Admin\AppData\Local\Temp\kelscrit.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\kelscrit.exe"C:\Users\Admin\AppData\Local\Temp\kelscrit.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1788
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5192639861e3dc2dc5c08bb8f8c7260d5
SHA158d30e460609e22fa0098bc27d928b689ef9af78
SHA25623d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
SHA5126e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc