Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 14:35
Static task
static1
Behavioral task
behavioral1
Sample
FRA.2080 GRACARE MAIG (2).exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
FRA.2080 GRACARE MAIG (2).exe
Resource
win10v2004-20241007-en
General
-
Target
FRA.2080 GRACARE MAIG (2).exe
-
Size
528KB
-
MD5
341ae38ffefa01cb1ce586636e6629db
-
SHA1
ec0f4fa6942ef3aadc183d440239e883faeab607
-
SHA256
2ff3d2bda15e7a1ceb97f318d9e85d930e6a75a135d70b953b708c96f90921a7
-
SHA512
8b342bb4b381421be54a5876fba24cc6bccc1a0ecca48c6afb949b97645fdb69141e1dd1017d97fde3a3a080897a79534d0719119d4d2a076573b2c72fb98819
-
SSDEEP
12288:aICiw3Giju9h1LrEOn1UuwE1eu0yoS/B3FYA1Y/:Miw2Uu9DLrEOnZwo/z/lJs
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
SOCAG3_314$%] - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
Blocklisted process makes network request 8 IoCs
flow pid Process 18 1568 msiexec.exe 20 1568 msiexec.exe 24 1568 msiexec.exe 26 1568 msiexec.exe 28 1568 msiexec.exe 36 1568 msiexec.exe 39 1568 msiexec.exe 54 1568 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 18 drive.google.com 17 drive.google.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 35 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 1568 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2308 powershell.exe 1568 msiexec.exe -
pid Process 2308 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FRA.2080 GRACARE MAIG (2).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2308 powershell.exe 2308 powershell.exe 2308 powershell.exe 2308 powershell.exe 2308 powershell.exe 2308 powershell.exe 2308 powershell.exe 2308 powershell.exe 2308 powershell.exe 1568 msiexec.exe 1568 msiexec.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2308 powershell.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 2308 powershell.exe Token: SeIncreaseQuotaPrivilege 2308 powershell.exe Token: SeSecurityPrivilege 2308 powershell.exe Token: SeTakeOwnershipPrivilege 2308 powershell.exe Token: SeLoadDriverPrivilege 2308 powershell.exe Token: SeSystemProfilePrivilege 2308 powershell.exe Token: SeSystemtimePrivilege 2308 powershell.exe Token: SeProfSingleProcessPrivilege 2308 powershell.exe Token: SeIncBasePriorityPrivilege 2308 powershell.exe Token: SeCreatePagefilePrivilege 2308 powershell.exe Token: SeBackupPrivilege 2308 powershell.exe Token: SeRestorePrivilege 2308 powershell.exe Token: SeShutdownPrivilege 2308 powershell.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeSystemEnvironmentPrivilege 2308 powershell.exe Token: SeRemoteShutdownPrivilege 2308 powershell.exe Token: SeUndockPrivilege 2308 powershell.exe Token: SeManageVolumePrivilege 2308 powershell.exe Token: 33 2308 powershell.exe Token: 34 2308 powershell.exe Token: 35 2308 powershell.exe Token: 36 2308 powershell.exe Token: SeDebugPrivilege 1568 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 32 wrote to memory of 2308 32 FRA.2080 GRACARE MAIG (2).exe 83 PID 32 wrote to memory of 2308 32 FRA.2080 GRACARE MAIG (2).exe 83 PID 32 wrote to memory of 2308 32 FRA.2080 GRACARE MAIG (2).exe 83 PID 2308 wrote to memory of 1568 2308 powershell.exe 91 PID 2308 wrote to memory of 1568 2308 powershell.exe 91 PID 2308 wrote to memory of 1568 2308 powershell.exe 91 PID 2308 wrote to memory of 1568 2308 powershell.exe 91 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FRA.2080 GRACARE MAIG (2).exe"C:\Users\Admin\AppData\Local\Temp\FRA.2080 GRACARE MAIG (2).exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle minimized "$Citrona=Get-Content -Raw 'C:\Users\Admin\AppData\Roaming\postarmistice\monospermy\brevbombe\Frierne3.bli';$Acaulose=$Citrona.SubString(43554,3);.$Acaulose($Citrona)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1568
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
308KB
MD5b98a76728721061a75e4b61a0ca4f4ac
SHA17604cdca3e559673c5109b43ca381d43d9120a74
SHA2566d8124a21ecc9e02a10816d25c4bbb1a1320cc320504337888ab80ada8821190
SHA512da532eeb061da5e57cb3220f1c6c497a571bc4dc249c2af57d49af31eaf9fb3693b50fbf5e556315c3e8600c07dbaa7d9fa33b29bb3f3b7115a9d94943418cc1
-
Filesize
70KB
MD5b3fc6d31cf4671c23231a53a56f74e10
SHA12995c5c0a3b900db76ff125e14c24e81aedefa95
SHA256d8cac93299fbda6ba2e414bd1ca88c6f01aed1ffed466d6ef001081027d27d1d
SHA512e6de53554e42b580ca4331061306f4ac076bb2afe9cc9840775ef0884530071c58004ca37c07da7702dff44a72ccad16847dcce032e1ffd28373a0beb8a0076a