Overview

overview

10

Static

static

3

jxGidTkOad4suSF.exe

windows7-x64

10

jxGidTkOad4suSF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/03/2025, 16:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    jxGidTkOad4suSF.exe

  • Size

    869KB

  • MD5

    24fe4f00c34617dbda65dea7b69290fa

  • SHA1

    652ca5827811da26020b27267574e93b4e3a0a1b

  • SHA256

    2cabff0ab44ef8b5791f5ec5c5dc25f509a6ca502af94813cab8fcfcdc6abfa9

  • SHA512

    e09ecb5ee06b5f61aa7dcbd1db757851224b8822c3765eff5f5066aa761a017376eb24688534935c8c9b33120a5332e8ecfeb225d52a96c178cec5116e195952

  • SSDEEP

    12288:NMvDFVzJ+Wnqn++PtFmwH9PD3yy6EtS1YFbOWKkhrINsuNQxv3yfiuiKMF4Ezh0W:NMbHzMjowH9bZsq0W1rubNmfEid3Ho

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7688589725:AAEXfrzDHwZLObnhvGxbNuF0otXr2qYoXHQ/sendMessage?chat_id=2015352628

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger
  • Vipkeylogger family
    vipkeylogger
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\jxGidTkOad4suSF.exe
    "C:\Users\Admin\AppData\Local\Temp\jxGidTkOad4suSF.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5724
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\jxGidTkOad4suSF.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2128
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oqiReQQ.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:100
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oqiReQQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D0B.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:5924
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:1448
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        2⤵
          PID:2160
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          2⤵
            PID:3652
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            2⤵
            • Accesses Microsoft Outlook profiles
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:3336

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          f42681ef3c3c5891b83f0725cf8beaaa

          SHA1

          fd582409d0ccf4ea9d28c3efdc93cc6310b4dc8d

          SHA256

          3ea4a18ab0e47e3caa692d605eed628a46ece7ac219603a7d83a27bc06b6c8e0

          SHA512

          2ea338cd99d79f931c6c8913c334b70f3362af88d2121110c2514973ea242a2716dcf1aa89bb1c552b0937949cb2234139d6c84cf2ee8a38b81553a8081bc338

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1pmp5p2p.gm0.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmp9D0B.tmp
          Filesize

          1KB

          MD5

          9e49a6137a6763712757b6fd65300e1a

          SHA1

          b981594176db15542d66fd9b22b86537a59bf56f

          SHA256

          92c91ebe77000be79ab9715c837245225196322b9221d5d58b1d34af1f0f504d

          SHA512

          509468c184e01f35c3547dd866b316128d9396c522a53267574b47b9c8e3377a0b98e3b9f23b5a5e8eeafac869294d068c293bd49408514e4d4d8b33829e6809

          Download Submit

        • memory/100-73-0x0000000007A80000-0x0000000007A9A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/100-74-0x0000000007AF0000-0x0000000007AFA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/100-85-0x0000000074A90000-0x0000000075240000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/100-79-0x0000000007DC0000-0x0000000007DDA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/100-78-0x0000000007CC0000-0x0000000007CD4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/100-76-0x0000000007C80000-0x0000000007C91000-memory.dmp

          Filesize

          68KB

          Download

        • memory/100-75-0x0000000007D00000-0x0000000007D96000-memory.dmp

          Filesize

          600KB

          Download

        • memory/100-71-0x0000000007750000-0x00000000077F3000-memory.dmp

          Filesize

          652KB

          Download

        • memory/100-60-0x0000000071280000-0x00000000712CC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/100-48-0x00000000068B0000-0x00000000068FC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/100-47-0x0000000006670000-0x000000000668E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/100-20-0x0000000074A90000-0x0000000075240000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2128-86-0x0000000074A90000-0x0000000075240000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2128-15-0x0000000002310000-0x0000000002346000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2128-77-0x0000000007190000-0x000000000719E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2128-18-0x0000000074A90000-0x0000000075240000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2128-23-0x0000000005500000-0x0000000005566000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2128-22-0x0000000004C80000-0x0000000004CA2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2128-34-0x0000000005620000-0x0000000005974000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2128-61-0x0000000006260000-0x000000000627E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2128-17-0x0000000004E20000-0x0000000005448000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/2128-72-0x0000000007600000-0x0000000007C7A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/2128-24-0x0000000005570000-0x00000000055D6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2128-16-0x0000000074A90000-0x0000000075240000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2128-49-0x0000000006220000-0x0000000006252000-memory.dmp

          Filesize

          200KB

          Download

        • memory/2128-19-0x0000000074A90000-0x0000000075240000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2128-50-0x0000000071280000-0x00000000712CC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2128-80-0x0000000007280000-0x0000000007288000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3336-87-0x0000000006AE0000-0x0000000006CA2000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3336-35-0x0000000000400000-0x0000000000448000-memory.dmp

          Filesize

          288KB

          Download

        • memory/3336-88-0x0000000006980000-0x00000000069D0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/5724-10-0x0000000008FE0000-0x000000000906E000-memory.dmp

          Filesize

          568KB

          Download

        • memory/5724-9-0x0000000074A90000-0x0000000075240000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/5724-8-0x0000000074A9E000-0x0000000074A9F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5724-0-0x0000000074A9E000-0x0000000074A9F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5724-7-0x0000000008A70000-0x0000000008A88000-memory.dmp

          Filesize

          96KB

          Download

        • memory/5724-6-0x00000000078E0000-0x000000000797C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/5724-2-0x0000000007B30000-0x00000000080D4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/5724-1-0x00000000007A0000-0x0000000000880000-memory.dmp

          Filesize

          896KB

          Download

        • memory/5724-5-0x0000000001290000-0x000000000129A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/5724-4-0x0000000074A90000-0x0000000075240000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/5724-46-0x0000000074A90000-0x0000000075240000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/5724-3-0x0000000007620000-0x00000000076B2000-memory.dmp

          Filesize

          584KB

          Download