Overview

overview

10

Static

static

10

void/0394b...43.exe

windows7-x64

3

void/0394b...43.exe

windows10-2004-x64

3

void/0aa21...0f.elf

ubuntu-24.04-amd64

1

void/250bb...13.exe

windows7-x64

6

void/250bb...13.exe

windows10-2004-x64

6

void/257ff...b4.exe

windows7-x64

1

void/257ff...b4.exe

windows10-2004-x64

8

void/37208...92.elf

debian-9-mips

7

void/43958...0d.exe

windows7-x64

10

void/43958...0d.exe

windows10-2004-x64

10

void/469a3...1b.ps1

windows7-x64

10

void/469a3...1b.ps1

windows10-2004-x64

10

void/5a099...8b.exe

windows7-x64

1

void/5a099...8b.exe

windows10-2004-x64

1

void/72cb9...de.elf

ubuntu-22.04-amd64

10

void/73055...90.exe

windows7-x64

3

void/73055...90.exe

windows10-2004-x64

3

การ�...��.exe

windows7-x64

8

การ�...��.exe

windows10-2004-x64

8

void/7ac64...d2.exe

windows7-x64

1

void/7ac64...d2.exe

windows10-2004-x64

8

void/7b380...cc.dmg

macos-10.15-amd64

1

Brew/Brew

macos-10.15-amd64

4

void/7dec8...a.html

windows7-x64

3

void/7dec8...a.html

windows10-2004-x64

3

void/80e6e...e3.exe

windows7-x64

3

void/80e6e...e3.exe

windows10-2004-x64

3

void/82231...6b.exe

windows7-x64

1

void/82231...6b.exe

windows10-2004-x64

8

void/8732e...71.exe

windows7-x64

1

void/8732e...71.exe

windows10-2004-x64

8

void/8c55a...97.elf

debian-9-mipsel

7

Analysis

  • max time kernel
    56s
  • max time network
    64s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/03/2025, 20:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    void/469a30082aeff1c7367a5c98d83d4230947500771e86738903a026859f870f1b.ps1

  • Size

    951B

  • MD5

    991bfc052219f7e9b6e77e2268c08947

  • SHA1

    c6e8df55948ed92caa0401c28dfeb474c02136ef

  • SHA256

    469a30082aeff1c7367a5c98d83d4230947500771e86738903a026859f870f1b

  • SHA512

    bf7a963c06de9f3f66eb568f94bdeda1ea0236c39d8db768e7ecb942018fc1d7effc42295acebb114b7f40bdae5d72756eb1413d7221577bf202051fb7123fd4

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Acess2code

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger
  • Vipkeylogger family
    vipkeylogger
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\void\469a30082aeff1c7367a5c98d83d4230947500771e86738903a026859f870f1b.ps1
    1⤵
    • Blocklisted process makes network request
    • Downloads MZ/PE file
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4188
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ffzr3t3l\ffzr3t3l.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A36.tmp" "c:\Users\Admin\AppData\Local\Temp\ffzr3t3l\CSC6EA734BDB0FA4BED80306C46AAE04268.TMP"
        3⤵
          PID:4964
      • C:\Users\Admin\AppData\Roaming\cosse.exe
        "C:\Users\Admin\AppData\Roaming\cosse.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3964
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Users\Admin\AppData\Roaming\cosse.exe"
          3⤵
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:2712

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES5A36.tmp
      Filesize

      1KB

      MD5

      fc4eac089e685cf8f332d0a5736c1aa8

      SHA1

      239acb3b24d429d0a49295fbb5b9637e4474e20c

      SHA256

      49cf160b632b7ef8b62b0f55c8ea8e3b8ab525d614723d9e8a02ad33f932d480

      SHA512

      5ac6941c5bd5c416407820e6377120e9da1b9e30e28d0606779e4a033d25ee3eefad768afb65ea871286e8d3cb5d19e35103f43110a261478f34f5d96dbabc6e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rrldc0f4.jy0.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ffzr3t3l\ffzr3t3l.dll
      Filesize

      3KB

      MD5

      694fde19350d244022c26eb84cb8a63f

      SHA1

      e27db75d85c2c506c318dba315342b99d7541b8e

      SHA256

      8b4332276802ec1e2a191ea5f64344c1be612096409d295f71d5c31baf08fd9f

      SHA512

      4f13fc093adca5ec8bd82b81597ea0f4f70cce106fdbd8ebcc6b84788431b42cd54651fdbed4454574582f1eb688c342b4087aea20f020fab23d6805e93bd5db

      Download Submit

    • C:\Users\Admin\AppData\Roaming\cosse.exe
      Filesize

      1020KB

      MD5

      4397e5bc5bc3c6d79b917b17e8b122f3

      SHA1

      007b6e094526fb0bb0978672ff50024e1cc635fc

      SHA256

      63cae99ed47a3a8ad4fcf212d71c0700f5f99390f188ab2c45e17d1c4618ff04

      SHA512

      fd7dca44dbd973cff67d1a0cc2a80fbe2857d464d9c0d44988225c0104bce8b4b33ee01201ae3b91fecf07b2c5bef118b2a61514904b73272a5de4fa54ade386

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\ffzr3t3l\CSC6EA734BDB0FA4BED80306C46AAE04268.TMP
      Filesize

      652B

      MD5

      ca184ac48d5e2610e837c7ed0f5f5d2d

      SHA1

      0b8df9f285d50f7c76b63a14fb3ab0bc6506dbe5

      SHA256

      6fa0cb449d05dbd7d2a80c99731cf4f4251671b944f50ae5571686cc91f7ccbd

      SHA512

      2b182c66bf459ab8d463a466dba266b10191538175083a8466b314c57f93b709daf86513bceec676ddaac4ad49039d646d2ef49554face075e9b7a6e51f61007

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\ffzr3t3l\ffzr3t3l.0.cs
      Filesize

      470B

      MD5

      fc199e95b98fd2bef9dc8c75ac49fd5c

      SHA1

      389c49f099b5da6b47d07e9de292d553c6713f83

      SHA256

      c443f29fb2f6d18f4cb0813c178248952b8856a8e27a157ce046e7eecd99604f

      SHA512

      07b4af2f464e011646d0deb2bd1639cc0ade38b507b84230ee3d4863416a6a9c9d9e6678a438ae203bd534adbe1160198c6575d87f8a88ce440aefd1d018d7ba

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\ffzr3t3l\ffzr3t3l.cmdline
      Filesize

      369B

      MD5

      fcee676ac60c6af506a086ce3e133435

      SHA1

      f677ba1b00520ae1ec49b9d228f30740e625852b

      SHA256

      9785b3f3785c6afc8fa1d2fdfe6c1ba733712891d7bec9db37bbd715f6c8afcf

      SHA512

      25ac07c044afcef2a28ee5e2fe436198c07c7ce905a60691d3c0b58e977d2274342c89fe335d5929a4aef33e2b2651170d0a2aa8a4a61b21570477cd0cd15014

      Download Submit

    • memory/2712-52-0x0000000004D30000-0x0000000004DCC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2712-57-0x0000000006490000-0x000000000649A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2712-56-0x00000000064F0000-0x0000000006582000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2712-55-0x0000000006980000-0x0000000006EAC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/2712-54-0x0000000006010000-0x0000000006060000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2712-53-0x0000000006180000-0x0000000006342000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2712-50-0x0000000000370000-0x00000000003BA000-memory.dmp

      Filesize

      296KB

      Download

    • memory/2712-51-0x0000000005240000-0x00000000057E4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4188-14-0x00007FFBD7090000-0x00007FFBD7B51000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4188-42-0x00007FFBD7090000-0x00007FFBD7B51000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4188-1-0x0000023DEC3F0000-0x0000023DEC412000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4188-11-0x00007FFBD7090000-0x00007FFBD7B51000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4188-25-0x0000023DD1550000-0x0000023DD1558000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4188-0-0x00007FFBD7093000-0x00007FFBD7095000-memory.dmp

      Filesize

      8KB

      Download