Overview

overview

10

Static

static

3

Invoice#29...df.exe

windows7-x64

10

Invoice#29...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-01-2025 04:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice#2968 (PO#83270) pdf.exe

  • Size

    832KB

  • MD5

    2fa6791b73bec4f05a53347a37c0a2e4

  • SHA1

    c5e240318972c79afcb40b8b3cf185cfa523e0ee

  • SHA256

    517c2ec612e5eef224a280a1509a9c646237a0295ab0a26534e362f3dace92e9

  • SHA512

    e6e4d6f4644cd7452551574f5959c86ecdde156412294dc27651b9efbdfb13fccf5031432e3fb0d02a2d64647762bcba13c89573d361c2fdfd40194c2f6d9c9a

  • SSDEEP

    24576:fO6e12gVzguVxwVzN6vET4XvjkFy05e5v+:W912gVsjR0gukkT5v

Score
10/10
vipkeyloggercollectiondiscoverykeyloggerspywarestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials
C2

https://api.telegram.org/bot8066712820:AAEAb01u8B6eDO5xCMdAz6XCOHC_L2RpVGo/sendMessage?chat_id=7667424178

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger
  • Vipkeylogger family
    vipkeylogger
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Invoice#2968 (PO#83270) pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Invoice#2968 (PO#83270) pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:680
    • C:\Users\Admin\AppData\Local\Temp\Invoice#2968 (PO#83270) pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Invoice#2968 (PO#83270) pdf.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:3932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice#2968 (PO#83270) pdf.exe.log
    Filesize

    1KB

    MD5

    27ddd0570ed445448bd21f842d95de9a

    SHA1

    309c3d8986b7aab1298b97a82ee830c244040ad6

    SHA256

    cb1e0630cc219962d2aaff5d9bf69c4197c7a5c7d080a6409b368eb417ab0e90

    SHA512

    6e4eee130d20ef2b5909582c0b727b7097dce9600414a363cfffb79fddecd5ccbca9518a8bd040b5a2293ee3d08bf37a4a4c1126ff56dbc9b136c1d312769a85

    Download Submit

  • memory/680-10-0x0000000074890000-0x0000000075040000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/680-1-0x00000000008C0000-0x0000000000994000-memory.dmp

    Filesize

    848KB

    Download

  • memory/680-3-0x00000000053B0000-0x0000000005442000-memory.dmp

    Filesize

    584KB

    Download

  • memory/680-4-0x00000000054A0000-0x00000000057F4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/680-5-0x0000000074890000-0x0000000075040000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/680-6-0x0000000005480000-0x000000000548A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/680-7-0x00000000069A0000-0x0000000006A6A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/680-11-0x0000000002C30000-0x0000000002CBE000-memory.dmp

    Filesize

    568KB

    Download

  • memory/680-9-0x000000007489E000-0x000000007489F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/680-0-0x000000007489E000-0x000000007489F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/680-8-0x0000000006A70000-0x0000000006A8E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/680-12-0x000000000DD30000-0x000000000DDCC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/680-17-0x0000000074890000-0x0000000075040000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/680-2-0x0000000005A50000-0x0000000005FF4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3932-16-0x0000000074890000-0x0000000075040000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3932-13-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/3932-18-0x0000000074890000-0x0000000075040000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3932-19-0x0000000006F80000-0x0000000007142000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3932-20-0x0000000006E20000-0x0000000006E70000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3932-21-0x0000000074890000-0x0000000075040000-memory.dmp

    Filesize

    7.7MB

    Download