Overview

overview

10

Static

static

10

void/0394b...43.exe

windows7-x64

3

void/0394b...43.exe

windows10-2004-x64

3

void/0aa21...0f.elf

ubuntu-24.04-amd64

1

void/250bb...13.exe

windows7-x64

6

void/250bb...13.exe

windows10-2004-x64

6

void/257ff...b4.exe

windows7-x64

1

void/257ff...b4.exe

windows10-2004-x64

8

void/37208...92.elf

debian-9-mips

1

void/43958...0d.exe

windows7-x64

10

void/43958...0d.exe

windows10-2004-x64

10

void/469a3...1b.ps1

windows7-x64

8

void/469a3...1b.ps1

windows10-2004-x64

10

void/5a099...8b.exe

windows7-x64

1

void/5a099...8b.exe

windows10-2004-x64

1

void/72cb9...de.elf

ubuntu-22.04-amd64

10

void/73055...90.exe

windows7-x64

3

void/73055...90.exe

windows10-2004-x64

3

การ�...��.exe

windows7-x64

1

การ�...��.exe

windows10-2004-x64

8

void/7ac64...d2.exe

windows7-x64

1

void/7ac64...d2.exe

windows10-2004-x64

8

void/7b380...cc.dmg

macos-10.15-amd64

1

Brew/Brew

macos-10.15-amd64

4

void/7dec8...a.html

windows7-x64

3

void/7dec8...a.html

windows10-2004-x64

3

void/80e6e...e3.exe

windows7-x64

3

void/80e6e...e3.exe

windows10-2004-x64

3

void/82231...6b.exe

windows7-x64

1

void/82231...6b.exe

windows10-2004-x64

8

void/8732e...71.exe

windows7-x64

1

void/8732e...71.exe

windows10-2004-x64

8

void/8c55a...97.elf

debian-9-mipsel

7

Analysis

  • max time kernel
    59s
  • max time network
    63s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/03/2025, 20:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    void/469a30082aeff1c7367a5c98d83d4230947500771e86738903a026859f870f1b.ps1

  • Size

    951B

  • MD5

    991bfc052219f7e9b6e77e2268c08947

  • SHA1

    c6e8df55948ed92caa0401c28dfeb474c02136ef

  • SHA256

    469a30082aeff1c7367a5c98d83d4230947500771e86738903a026859f870f1b

  • SHA512

    bf7a963c06de9f3f66eb568f94bdeda1ea0236c39d8db768e7ecb942018fc1d7effc42295acebb114b7f40bdae5d72756eb1413d7221577bf202051fb7123fd4

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger
  • Vipkeylogger family
    vipkeylogger
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\void\469a30082aeff1c7367a5c98d83d4230947500771e86738903a026859f870f1b.ps1
    1⤵
    • Blocklisted process makes network request
    • Downloads MZ/PE file
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3760
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pd4qxeaq\pd4qxeaq.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A2D.tmp" "c:\Users\Admin\AppData\Local\Temp\pd4qxeaq\CSC8ADB27EDDF424169852BA0BBD33D69D.TMP"
        3⤵
          PID:4776
      • C:\Users\Admin\AppData\Roaming\cosse.exe
        "C:\Users\Admin\AppData\Roaming\cosse.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:756
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Users\Admin\AppData\Roaming\cosse.exe"
          3⤵
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:5636

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES9A2D.tmp
      Filesize

      1KB

      MD5

      de00d79b6335b75533cae6d545d90e68

      SHA1

      d68bf337bd6492d0803227755d19c5cdd1718f07

      SHA256

      66d6750e36031907cdeafc0cf5d035a93f8eb48e7220e6ae567add1a24b6baf1

      SHA512

      d5c666f746cf077e85b5b3ad5c6699cb567643d7f7bdad2e4f3c592533b33417affab3f59ef9c59becb310e6e870979042fe2e6a54497b53e3e243e9e884ce3b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c0d24mpn.obc.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pd4qxeaq\pd4qxeaq.dll
      Filesize

      3KB

      MD5

      19de3d80d66ba4b77b500f3310f41abe

      SHA1

      51b032d7c00c3ec568da3ac2e665d955a63cb7de

      SHA256

      ac977d4d84884438ccdb629c58a26e0d4003de18388feb348781295cd0a82220

      SHA512

      4954fc1a6da8342966ed1553fe7675d294123b91c232016458e95cd725ad7744e538522645328d0b206a5bcb19bd13a08357367e1d1cdf30d89726235e3a80eb

      Download Submit

    • C:\Users\Admin\AppData\Roaming\cosse.exe
      Filesize

      1020KB

      MD5

      4397e5bc5bc3c6d79b917b17e8b122f3

      SHA1

      007b6e094526fb0bb0978672ff50024e1cc635fc

      SHA256

      63cae99ed47a3a8ad4fcf212d71c0700f5f99390f188ab2c45e17d1c4618ff04

      SHA512

      fd7dca44dbd973cff67d1a0cc2a80fbe2857d464d9c0d44988225c0104bce8b4b33ee01201ae3b91fecf07b2c5bef118b2a61514904b73272a5de4fa54ade386

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\pd4qxeaq\CSC8ADB27EDDF424169852BA0BBD33D69D.TMP
      Filesize

      652B

      MD5

      7cd6b56de422800d8c6da13b86fa3874

      SHA1

      c03adfd1e98b1b2e9a97600e0050124d8f568db1

      SHA256

      ee27f65a60898a947248abb5a2269562f4b321af10c928e482b5ecb157ae2ac2

      SHA512

      698c3cdedae00e58e7d82dd6b4fe3bd0cedabfe22ae5920f2bba722678a69892dc0b6aa1b59e9891d688fb2d5e60ec2ac37c72f8cfcfbf49acf8e8c76b0c810d

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\pd4qxeaq\pd4qxeaq.0.cs
      Filesize

      470B

      MD5

      fc199e95b98fd2bef9dc8c75ac49fd5c

      SHA1

      389c49f099b5da6b47d07e9de292d553c6713f83

      SHA256

      c443f29fb2f6d18f4cb0813c178248952b8856a8e27a157ce046e7eecd99604f

      SHA512

      07b4af2f464e011646d0deb2bd1639cc0ade38b507b84230ee3d4863416a6a9c9d9e6678a438ae203bd534adbe1160198c6575d87f8a88ce440aefd1d018d7ba

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\pd4qxeaq\pd4qxeaq.cmdline
      Filesize

      369B

      MD5

      eb50d14bdd40bd1607a3c43dae3d0e7a

      SHA1

      10062176648b98f95c01b7c63c9b6ac9f825ab97

      SHA256

      3ec9f20c4092d0963a2e5ed6174db6c4670e76480aeaf53a86cc4b4d9560da2f

      SHA512

      60a75261bedd2809331373f793bedd75e50843854d011a24b265db27bf524d65ffd2c3c8920518d80428ebc250aeef9a7d572583e30acd578c13cba4c84599a0

      Download Submit

    • memory/3760-12-0x00007FF969710000-0x00007FF96A1D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3760-25-0x0000022C09B00000-0x0000022C09B08000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3760-0-0x00007FF969713000-0x00007FF969715000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3760-11-0x00007FF969710000-0x00007FF96A1D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3760-27-0x00007FF969713000-0x00007FF969715000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3760-28-0x00007FF969710000-0x00007FF96A1D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3760-1-0x0000022C09AD0000-0x0000022C09AF2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3760-44-0x00007FF969710000-0x00007FF96A1D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5636-52-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

      Download

    • memory/5636-53-0x0000000005B80000-0x0000000006124000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/5636-54-0x0000000005670000-0x000000000570C000-memory.dmp

      Filesize

      624KB

      Download