Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
-
submitted
14/04/2025, 15:10
General
-
Target
Confirmación pedido 1211073874.exe
-
Size
643KB
-
MD5
7c012ccbe118eb2b08418c0bc8225052
-
SHA1
dd1c854c64a6d3e3265cc648d578c5f4acf4df8e
-
SHA256
9626a23f54ddd20eb8ca9b910f97954504f1676b71df8150f8f9a5e0d6072f88
-
SHA512
09d3bbbc1850fd8eb16fd7409ac269361dadf670cb887c38bd170c7da363d9e2cd97364e960152451690f0396dd3fef71a2add8c480e032d093e3bccc047fdfd
-
SSDEEP
12288:u+qBlcJ90annNzz5FZz/dops9FcUF8xaJ9BcHUepC2mCeubt1AW:u+qXWhNnBdopCcYcQBcHrC2mCek1AW
Malware Config
Extracted
Protocol: smtp- Host:
botellaconsultant.com - Port:
587 - Username:
[email protected] - Password:
gab@06012019
Extracted
vipkeylogger
Protocol: smtp- Host:
botellaconsultant.com - Port:
587 - Username:
[email protected] - Password:
gab@06012019 - Email To:
[email protected]
https://api.telegram.org/bot8177269356:AAE1A-wrzIPPvS7h0Q2cLoj1CThwbRU3Yas/sendMessage?chat_id=7267131103
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Confirmación pedido 1211073874.exe"C:\Users\Admin\AppData\Local\Temp\Confirmación pedido 1211073874.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Confirmación pedido 1211073874.exe"C:\Users\Admin\AppData\Local\Temp\Confirmación pedido 1211073874.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56B
MD574ad0c87db7baa279a964c5a22fedaa9
SHA12a2559f6843c8cd018faa8c5dd234ffd64544cac
SHA256a3ada9ffefd107a732993a1f25a38d4a88e7a80ea9fbe670a0eb5d1d6880a670
SHA512b86e529221a884a4ddacd2e14ee2907dea99583947b963439e962499ef9a15c6d9b6efdad720fdaca60c0470470baa2e98307755d33b64a85fc1b1d56f978f2a
-
Filesize
74B
MD516d513397f3c1f8334e8f3e4fc49828f
SHA14ee15afca81ca6a13af4e38240099b730d6931f0
SHA256d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36
SHA5124a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3
-
Filesize
12B
MD5e456acec0ef7fda3aef06b03bb007e2f
SHA1a7168146dd22139e81563b24beb736179d1c8370
SHA25673842f82df7cfef99c471c4301ef8130ddcd65d831b069b880bd71695d2bf607
SHA512c641ae2e8961562f5fd0f2d258742b024c6564b3f3b6a1d3d642d72bf47a1d6c208055e31dc467a3ea41b7bac658bcbab6e1746daf08fe2484f0c860fb88d475
-
Filesize
45B
MD55bc80a3e025e6d7c0ff9536d7af1c8b1
SHA1c7dca5ef716161e30829bcfe28b59ec430fdbec0
SHA2568d563467c54bb057b01f2366722a14e9416510bf4955afa746cbeb2f221312fc
SHA512cca0649c6cc7a92de2c46bf64084bce5e0ce44ef5acbdcb7527231d5372d74b0a1b3d0856ecfa0d32a5a0fbf5219df8117b14bec29d513fb55da0d1f25a6ad8b
-
Filesize
20B
MD5c589bbe6630724ff6d9cd2a91a525417
SHA16bc8a215554743d971d2d5e4feb023d193349a27
SHA256c152946d88097adcbbeb52acd3782c8d106f88dfafc7c9af47f67e67ba33854a
SHA51220cff8a5b511621a968972ba4c439400534969a01b57fefe14b81094bda1deec944dc97dbce61a8b769b37e3a1a9443d579174fa6f35d34eabe4fcf8376eea3a
-
Filesize
44B
MD5a34dd33a1fabfd2c2a268ca5dafab94f
SHA14d321237095816d8ad7a3e8c16154286bcb161e9
SHA256dfc902cecc7c8eba5bd0d37e27541823ba74c67ac26cd263568f9b4880ab6f1b
SHA512e22f1a71835ce0fd8add953d182b1999f65db2c8c434beadc7e1db39dda17ddf669c8bd2ba266b17c0b6eac4cf44480b307b17fbc32b1521a505c49bab5af7fe
-
Filesize
52B
MD55d04a35d3950677049c7a0cf17e37125
SHA1cafdd49a953864f83d387774b39b2657a253470f
SHA256a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266
SHA512c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b
-
Filesize
12KB
MD59b38a1b07a0ebc5c7e59e63346ecc2db
SHA197332a2ffcf12a3e3f27e7c05213b5d7faa13735
SHA2568b4c47c4cf5e76ec57dd5a050d5acd832a0d532ee875d7b44f6cdaf68f90d37c
SHA51226e77f8e10f6d8693c92bd036b53a3f6e0c523090ef8dfe479815f556ecd2b57fc90ce9f7cceebe70460d464decb27ad1fe240819fd56997764e96506b6a439c
-
Filesize
60B
MD568cac97f05e860948db3ccd2a7496b24
SHA130a5a0249441609c7fda5645457cb7d233b4a348
SHA25600c90fddf7f854e58a00f69b0e954e2bcc74f87a47c20cc9648a6e1a95ce0efc
SHA5126c2535ff2f9c118cc6c4592260ae1a1bce7f1032fcc3a27d2f0d76fdaf82c32f37d93f0e3deda6f08e9a2cb040279e58b5f2abe8d7d2377f9436f8a356448b43
-
Filesize
30B
MD5f15bfdebb2df02d02c8491bde1b4e9bd
SHA193bd46f57c3316c27cad2605ddf81d6c0bde9301
SHA256c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043
SHA5121757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1
-
Filesize
296KB
-
Filesize
1.1MB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
15.7MB
-
Filesize
18.3MB
-
Filesize
320KB
-
Filesize
15.7MB
-
Filesize
1.8MB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
15.7MB
-
Filesize
1.1MB
-
Filesize
15.7MB
-
Filesize
4KB
-
Filesize
1.1MB