Analysis
-
max time kernel
121s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09-12-2024 02:43
Static task
static1
Behavioral task
behavioral1
Sample
Receipt.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Receipt.exe
Resource
win10v2004-20241007-en
General
-
Target
Receipt.exe
-
Size
1.1MB
-
MD5
1d0c53e42bd84b7b7cfabed7dae7f570
-
SHA1
0b0df40afe9bed5720c361fe7ed63395e1a25f41
-
SHA256
ddadbda4f90dc1d05f3e78ac6e5009c2e6608137b60bce3427e25ffea1b4d944
-
SHA512
9ab7671f48d5dbeb58c93b61998762ed91da2f566421ff11f53edfdb6a65af0199ff4bb31647ec296cae7f85ba7cfc71340fbb931e6a05fd5aa03a43f5026057
-
SSDEEP
24576:cu6J33O0c+JY5UZ+XC0kGso6FaNAaW2Kh7ZClY9lnmWY:Gu0c++OCvkGs9FaNAaWphNCC1Y
Malware Config
Extracted
vipkeylogger
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghauts.vbs ghauts.exe -
Executes dropped EXE 1 IoCs
pid Process 2796 ghauts.exe -
Loads dropped DLL 1 IoCs
pid Process 1508 Receipt.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x002e0000000160e7-8.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2796 set thread context of 2832 2796 ghauts.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ghauts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Receipt.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2832 RegSvcs.exe 2832 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2796 ghauts.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2832 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1508 Receipt.exe 1508 Receipt.exe 2796 ghauts.exe 2796 ghauts.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1508 Receipt.exe 1508 Receipt.exe 2796 ghauts.exe 2796 ghauts.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1508 wrote to memory of 2796 1508 Receipt.exe 30 PID 1508 wrote to memory of 2796 1508 Receipt.exe 30 PID 1508 wrote to memory of 2796 1508 Receipt.exe 30 PID 1508 wrote to memory of 2796 1508 Receipt.exe 30 PID 2796 wrote to memory of 2832 2796 ghauts.exe 31 PID 2796 wrote to memory of 2832 2796 ghauts.exe 31 PID 2796 wrote to memory of 2832 2796 ghauts.exe 31 PID 2796 wrote to memory of 2832 2796 ghauts.exe 31 PID 2796 wrote to memory of 2832 2796 ghauts.exe 31 PID 2796 wrote to memory of 2832 2796 ghauts.exe 31 PID 2796 wrote to memory of 2832 2796 ghauts.exe 31 PID 2796 wrote to memory of 2832 2796 ghauts.exe 31 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Receipt.exe"C:\Users\Admin\AppData\Local\Temp\Receipt.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\Okeghem\ghauts.exe"C:\Users\Admin\AppData\Local\Temp\Receipt.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Receipt.exe"3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2832
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD51d0c53e42bd84b7b7cfabed7dae7f570
SHA10b0df40afe9bed5720c361fe7ed63395e1a25f41
SHA256ddadbda4f90dc1d05f3e78ac6e5009c2e6608137b60bce3427e25ffea1b4d944
SHA5129ab7671f48d5dbeb58c93b61998762ed91da2f566421ff11f53edfdb6a65af0199ff4bb31647ec296cae7f85ba7cfc71340fbb931e6a05fd5aa03a43f5026057