Analysis
-
max time kernel
111s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-12-2024 02:43
Static task
static1
Behavioral task
behavioral1
Sample
Receipt.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Receipt.exe
Resource
win10v2004-20241007-en
General
-
Target
Receipt.exe
-
Size
1.1MB
-
MD5
1d0c53e42bd84b7b7cfabed7dae7f570
-
SHA1
0b0df40afe9bed5720c361fe7ed63395e1a25f41
-
SHA256
ddadbda4f90dc1d05f3e78ac6e5009c2e6608137b60bce3427e25ffea1b4d944
-
SHA512
9ab7671f48d5dbeb58c93b61998762ed91da2f566421ff11f53edfdb6a65af0199ff4bb31647ec296cae7f85ba7cfc71340fbb931e6a05fd5aa03a43f5026057
-
SSDEEP
24576:cu6J33O0c+JY5UZ+XC0kGso6FaNAaW2Kh7ZClY9lnmWY:Gu0c++OCvkGs9FaNAaWphNCC1Y
Malware Config
Extracted
vipkeylogger
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghauts.vbs ghauts.exe -
Executes dropped EXE 3 IoCs
pid Process 3172 ghauts.exe 2524 ghauts.exe 312 ghauts.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 checkip.dyndns.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0008000000023bc3-9.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 312 set thread context of 1612 312 ghauts.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Receipt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ghauts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ghauts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ghauts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1612 RegSvcs.exe 1612 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 3172 ghauts.exe 2524 ghauts.exe 312 ghauts.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1612 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 2640 Receipt.exe 2640 Receipt.exe 2640 Receipt.exe 3172 ghauts.exe 3172 ghauts.exe 3172 ghauts.exe 2524 ghauts.exe 2524 ghauts.exe 2524 ghauts.exe 312 ghauts.exe 312 ghauts.exe 312 ghauts.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2640 Receipt.exe 2640 Receipt.exe 2640 Receipt.exe 3172 ghauts.exe 3172 ghauts.exe 3172 ghauts.exe 2524 ghauts.exe 2524 ghauts.exe 2524 ghauts.exe 312 ghauts.exe 312 ghauts.exe 312 ghauts.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2640 wrote to memory of 3172 2640 Receipt.exe 82 PID 2640 wrote to memory of 3172 2640 Receipt.exe 82 PID 2640 wrote to memory of 3172 2640 Receipt.exe 82 PID 3172 wrote to memory of 3840 3172 ghauts.exe 83 PID 3172 wrote to memory of 3840 3172 ghauts.exe 83 PID 3172 wrote to memory of 3840 3172 ghauts.exe 83 PID 3172 wrote to memory of 2524 3172 ghauts.exe 84 PID 3172 wrote to memory of 2524 3172 ghauts.exe 84 PID 3172 wrote to memory of 2524 3172 ghauts.exe 84 PID 2524 wrote to memory of 2344 2524 ghauts.exe 85 PID 2524 wrote to memory of 2344 2524 ghauts.exe 85 PID 2524 wrote to memory of 2344 2524 ghauts.exe 85 PID 2524 wrote to memory of 312 2524 ghauts.exe 86 PID 2524 wrote to memory of 312 2524 ghauts.exe 86 PID 2524 wrote to memory of 312 2524 ghauts.exe 86 PID 312 wrote to memory of 1612 312 ghauts.exe 87 PID 312 wrote to memory of 1612 312 ghauts.exe 87 PID 312 wrote to memory of 1612 312 ghauts.exe 87 PID 312 wrote to memory of 1612 312 ghauts.exe 87 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Receipt.exe"C:\Users\Admin\AppData\Local\Temp\Receipt.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Okeghem\ghauts.exe"C:\Users\Admin\AppData\Local\Temp\Receipt.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Receipt.exe"3⤵PID:3840
-
-
C:\Users\Admin\AppData\Local\Okeghem\ghauts.exe"C:\Users\Admin\AppData\Local\Okeghem\ghauts.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Okeghem\ghauts.exe"4⤵PID:2344
-
-
C:\Users\Admin\AppData\Local\Okeghem\ghauts.exe"C:\Users\Admin\AppData\Local\Okeghem\ghauts.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Okeghem\ghauts.exe"5⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1612
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD51d0c53e42bd84b7b7cfabed7dae7f570
SHA10b0df40afe9bed5720c361fe7ed63395e1a25f41
SHA256ddadbda4f90dc1d05f3e78ac6e5009c2e6608137b60bce3427e25ffea1b4d944
SHA5129ab7671f48d5dbeb58c93b61998762ed91da2f566421ff11f53edfdb6a65af0199ff4bb31647ec296cae7f85ba7cfc71340fbb931e6a05fd5aa03a43f5026057
-
Filesize
235KB
MD53efef33de4b9a0746f48ed50d0329ca5
SHA1c3827793ff34405cfe9960d58cf1a1fa9c93eca2
SHA2566348a723fda7f47d932d00e92f6e5ffc24228b6931f819aedeec3a078a3eca25
SHA512888f7d9df9c3001807e6dc3101e488599fa4dcbca8b3472c6261ac37e8082fe6a5150965c06d48d106edc12665ee7af06b6062adc7fc89acd90e928b1db7188a
-
Filesize
237KB
MD558412bc618cb35e18913d632db5bfcdf
SHA11f83979bdb99c654a742f47ca514e621dcdf8e92
SHA256e7316a4ed2628ffe37fe57e711b0dd9f3b06706e3f269f8bb0c454debae0265c
SHA5129c55e9d63f0e14f4cd99fbd2d4e82912a399b79cfdda5e0f6914de85599155611ad3cbd8a64b962bfdc9c8263de420153afc21843b114bb520809c0a2f293830