Overview

overview

10

Static

static

3

Invoice-736784.exe

windows7-x64

7

Invoice-736784.exe

windows10-2004-x64

10

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

8

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-02-2025 09:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice-736784.exe

  • Size

    921KB

  • MD5

    252feb4a3f2b23c726a6814eef75b8e4

  • SHA1

    8a9e7e4bf07f61ec6eb2008d4423eca9fdb439e0

  • SHA256

    3d13098a7038e2edec5a45c9d670e404f20187fc504d743ca73fc99bfb295be9

  • SHA512

    209fdbdc2a63870557947785a1db127928ba6175c92b0e288ca5139b4e1ad33b18ef36c70b93512f48fd099588bbca43bc7730c6800ef31029c3ce7181c67359

  • SSDEEP

    24576:8s2Nl1FAGoUvfMOK4fWmVRpkVoJfCMoU8Z1An:glDUU0UW8lCLU8ZCn

Score
10/10
guloadervipkeyloggercollectiondiscoverydownloaderkeyloggerspywarestealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7925601648:AAFJQr-qYufJQhg5VRCefCc8bUKVvQ_OCT4/sendMessage?chat_id=1940565380

Signatures

  • Guloader family
    guloader
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger
  • Vipkeylogger family
    vipkeylogger
  • Downloads MZ/PE file 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Invoice-736784.exe
    "C:\Users\Admin\AppData\Local\Temp\Invoice-736784.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3260
    • C:\Users\Admin\AppData\Local\Temp\Invoice-736784.exe
      "C:\Users\Admin\AppData\Local\Temp\Invoice-736784.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2420
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTUyNUJCNUEtNEQ3Ny00NDY0LUIzNDQtQkFBRDBEOTZBNDUyfSIgdXNlcmlkPSJ7OERCQjZBNTQtMEI0NS00OTE4LUE0N0MtNDZDNTQxNzMwMDU4fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RUNGMUY2MjQtODlDMy00MjIxLTg1OUItMzUzREE4MjRBODE3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU4NjAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODIxNjMwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDk4MTkxODQ2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:4416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\furriery.ini
    Filesize

    38B

    MD5

    b1ef763e50c5aabcdf24507256cdecb5

    SHA1

    544323e0812a2d71bc5e156e42bbe25f6082afab

    SHA256

    65724906ac58f577bd6b805237a1d03107bd94276121ef81e1fbfd368672abb4

    SHA512

    71c29b23cc8d2f16bb9f4667d25a7d01cf593134425359fc735c6056d154addb113dce0a9899f90d0dac4b3e46a3849fdee9190f3bf067fdba3b89f5b1170c67

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nso90C7.tmp\LangDLL.dll
    Filesize

    5KB

    MD5

    b21a3377e66b941df6d5b7cf8ba7a43a

    SHA1

    e7ed27fce2db9cdc11ca3c640806731dcef3864a

    SHA256

    ba46a03088f690ce966043f49761ff3a3a0dca236160794de841dfecc3588d1e

    SHA512

    f011a824c0ff7f87c6da112898f4afc87e12c5b39fb40ffcc0955012e79a4302597d892224b3b47e8143480605c73275d3799d6d2000cdf179c2912241f86916

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nso90C7.tmp\System.dll
    Filesize

    12KB

    MD5

    792b6f86e296d3904285b2bf67ccd7e0

    SHA1

    966b16f84697552747e0ddd19a4ba8ab5083af31

    SHA256

    c7a20bcaa0197aedddc8e4797bbb33fdf70d980f5e83c203d148121c2106d917

    SHA512

    97edc3410b88ca31abc0af0324258d2b59127047810947d0fb5e7e12957db34d206ffd70a0456add3a26b0546643ff0234124b08423c2c9ffe9bdec6eb210f2c

    Download Submit

  • memory/2420-70-0x0000000000460000-0x00000000004A8000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2420-68-0x0000000000460000-0x00000000016B4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2420-86-0x0000000037040000-0x000000003756C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2420-49-0x00000000016C0000-0x0000000003414000-memory.dmp

    Filesize

    29.3MB

    Download

  • memory/2420-51-0x00000000016C0000-0x0000000003414000-memory.dmp

    Filesize

    29.3MB

    Download

  • memory/2420-60-0x0000000000460000-0x00000000016B4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2420-67-0x00000000016C0000-0x0000000003414000-memory.dmp

    Filesize

    29.3MB

    Download

  • memory/2420-85-0x00000000036F0000-0x0000000003740000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2420-69-0x00000000016C0000-0x0000000003414000-memory.dmp

    Filesize

    29.3MB

    Download

  • memory/2420-84-0x0000000036E70000-0x0000000037032000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2420-71-0x00000000363C0000-0x0000000036964000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2420-72-0x0000000036230000-0x00000000362CC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3260-47-0x0000000004B40000-0x0000000006894000-memory.dmp

    Filesize

    29.3MB

    Download

  • memory/3260-48-0x0000000077971000-0x0000000077A91000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3260-50-0x0000000004B40000-0x0000000006894000-memory.dmp

    Filesize

    29.3MB

    Download