Analysis
-
max time kernel
140s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
11-01-2025 04:17
General
-
Target
8d5ad043ae91a80f57574f52b78402a7497b7377a29ebd2401c1f42ef0c41617.exe
-
Size
2.7MB
-
MD5
6776d32ed5b26c788e25c1632b555d47
-
SHA1
ca579bfb0a3a85fd0c234385d1fc5873a19d11a4
-
SHA256
8d5ad043ae91a80f57574f52b78402a7497b7377a29ebd2401c1f42ef0c41617
-
SHA512
aecb65a4d5d6d645910ce651a3277d97f4a51b145b0edfd1d1c495d6a915acb18a654b6fa81c7d7d57d7ebcb5215286c3df9802f682695f9c06e8ff52e92df12
-
SSDEEP
49152:oKQK2r0YVjKDyOSRTzsTSKC7o5lq/Ucqw:nZ2IYVjKDyOSJzJKCse/E
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7365820770:AAFcSgCB-t8aplspIAYTFtpf48_ydah4lyE/sendMessage?chat_id=5830304904
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d5ad043ae91a80f57574f52b78402a7497b7377a29ebd2401c1f42ef0c41617.exe"C:\Users\Admin\AppData\Local\Temp\8d5ad043ae91a80f57574f52b78402a7497b7377a29ebd2401c1f42ef0c41617.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
-
Filesize
8KB
-
Filesize
148KB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
320KB
-
Filesize
312KB
-
Filesize
2.7MB
-
Filesize
148KB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB