Analysis
-
max time kernel
133s -
max time network
135s -
platform
windows11-21h2_x64 -
resource
win11-20250217-en -
resource tags
-
submitted
19/02/2025, 19:12
General
-
Target
Skery.exe
-
Size
673KB
-
MD5
23c5b9f638e095f67c6e0c038431f24b
-
SHA1
6b3366c3ff8aa8576c520adb20f6fdea2393ed7f
-
SHA256
380487150b51a339c3d8c34526c0109d9b5a904aee3e41abc62c04a63ec18dfb
-
SHA512
0dea689116a01ac15e11420cdbfc01bf70b010fc175f726e873f2f32356d2521dbaf9369b193ca8439a98f29950e5a51e98598e03af5a8995a561b3523b74d15
-
SSDEEP
12288:Xa/AcZ6qJ2s1+pBOijz3U1PbGf+883INo89u/r2XdgjPEmADNA0EpphZNG2q:X4Z6SQB5/3U5SWN3INFu/9jsmY0q
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7888169387:AAFhsoUaeWK9XqbrEJl452LFnH_AAaGbsWI/sendMessage?chat_id=6838630391
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Skery.exe"C:\Users\Admin\AppData\Local\Temp\Skery.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Skery.exe"C:\Users\Admin\AppData\Local\Temp\Skery.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD5e52072c0483110c5aa1b304cb0304187
SHA12a51ef083fee7aa7c78ed6881c064c0e55203b11
SHA2562038d0f02d255770ac5216a86f709bd5e7d2dc1b0a6942a86427cc76eee2c685
SHA5128dee1c67873e338f64de674f4179ca6fd90475510ed2183e3bbff2becc3a625c8b1bb3118122cb6bf767804938cd8f9d41ac2c32101ba64579858d3309ad7959
-
Filesize
12KB
MD50d7ad4f45dc6f5aa87f606d0331c6901
SHA148df0911f0484cbe2a8cdd5362140b63c41ee457
SHA2563eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
Filesize
864B
MD5bf8f1faebcbb127a950114cbf96e044a
SHA122a597e92d5f2c06da6d655325eef15686ee1e43
SHA256e20d4852d16c7d991eb4cb6f659d141d20e2ac790cfbe01c349394d569104b22
SHA512f2760efdddaec2915c6d8064a86287055fa5e34ad481fffef3be7878664f0d2292148c3c441db8065643f080ba7964db673d758e67e980526ccdc75b2f0be91c
-
Filesize
5.6MB
-
Filesize
62.4MB
-
Filesize
2.0MB
-
Filesize
19.1MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
296KB
-
Filesize
40KB
-
Filesize
624KB
-
Filesize
62.4MB
-
Filesize
2.0MB
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
5.2MB
-
Filesize
584KB
-
Filesize
2.0MB
-
Filesize
1.2MB