Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
19/02/2025, 10:12
General
-
Target
BugSplat64.dll
-
Size
8.5MB
-
MD5
1ff0255fb75d95d65da33e95cc93d871
-
SHA1
5e59e19d377381faa9c842b3abc53cd1d15c6451
-
SHA256
b28a3906a0ea16e8766f9c14ed934e1f689cf5b0d95c5463bd3e4de97873c046
-
SHA512
b4c693f3499be2a7b38f68caf9241f7f3fe917b329e480420270e342c7a7d398747700ee33de05e08b52bc5ca3b4636ade3a01cc299006d01f0c4cb88a4ceaa4
-
SSDEEP
98304:1gaqeCWnlBVJKsWZiV5wn6dMPdXPE7m2PPf1Gf6:iaqeznl/wsWZiVG6I2NGf
Malware Config
Extracted
Protocol: smtp- Host:
mail.groupscrea.com - Port:
587 - Username:
[email protected] - Password:
cletus1905@
Extracted
vipkeylogger
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\BugSplat64.dll,#11⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
4KB
-
Filesize
320KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
320KB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
320KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
5.2MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB