Analysis
-
max time kernel
105s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2025, 07:22
Static task
static1
Behavioral task
behavioral1
Sample
Teklif Talebi - Talep No-25T1847_docx.exe
Resource
win10v2004-20250610-en
General
-
Target
Teklif Talebi - Talep No-25T1847_docx.exe
-
Size
1.1MB
-
MD5
a0256a1a007911f53f83941f5afa5d16
-
SHA1
549d496171239b5a8c6563c84447d701c7ab4180
-
SHA256
dc717f613c531df66e04f17cb2718064c1e3f469c585008eebf98cd69928274f
-
SHA512
dd9b0b755c92d4c83e351997f9f0aae16b42a3661e8be4a2b8bf816490d37d5405d52edf3bcfc96d3a7d03139f1fa782cda9d4bc8b307fcc64054fe7072079c2
-
SSDEEP
24576:Z5EmXFtKaL4/oFe5T9yyXYfP1ijXdaOrqfqzZiM3dk+EIO:ZPVt/LZeJbInQRaOWiNiMNk+
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.wxtp.store - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@# - Email To:
[email protected]
https://api.telegram.org/bot8099843793:AAGeYKMLti1IpyT9o6bz7OtgdXF9md25uXA/sendMessage?chat_id=6337180137
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\subbasaltic.vbs subbasaltic.exe -
Executes dropped EXE 1 IoCs
pid Process 4040 subbasaltic.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3001560346-2020497773-4190896137-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3001560346-2020497773-4190896137-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3001560346-2020497773-4190896137-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 28 reallyfreegeoip.org 29 reallyfreegeoip.org 26 checkip.dyndns.org -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000b0000000240fe-9.dat autoit_exe behavioral1/memory/4040-18-0x0000000001AA0000-0x0000000001EA0000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4040 set thread context of 4804 4040 subbasaltic.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Teklif Talebi - Talep No-25T1847_docx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language subbasaltic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4804 RegSvcs.exe 4804 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4040 subbasaltic.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4804 RegSvcs.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2948 wrote to memory of 4040 2948 Teklif Talebi - Talep No-25T1847_docx.exe 89 PID 2948 wrote to memory of 4040 2948 Teklif Talebi - Talep No-25T1847_docx.exe 89 PID 2948 wrote to memory of 4040 2948 Teklif Talebi - Talep No-25T1847_docx.exe 89 PID 4040 wrote to memory of 4804 4040 subbasaltic.exe 91 PID 4040 wrote to memory of 4804 4040 subbasaltic.exe 91 PID 4040 wrote to memory of 4804 4040 subbasaltic.exe 91 PID 4040 wrote to memory of 4804 4040 subbasaltic.exe 91 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3001560346-2020497773-4190896137-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3001560346-2020497773-4190896137-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Teklif Talebi - Talep No-25T1847_docx.exe"C:\Users\Admin\AppData\Local\Temp\Teklif Talebi - Talep No-25T1847_docx.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Local\emboweling\subbasaltic.exe"C:\Users\Admin\AppData\Local\Temp\Teklif Talebi - Talep No-25T1847_docx.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Teklif Talebi - Talep No-25T1847_docx.exe"3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4804
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268KB
MD5515efbbe56567cb8d624c9f03d82a64b
SHA1a34f3acbab65d8173a962a7e587ad99c7a59a06a
SHA256284411cd6dec4817149a727a028a01c5accc4e44843ec3be3692dee7f983ed34
SHA512768c155fd75f8847eb71e5b116e2ceb4891f0364fbf04a27bc9a09dcc8df232b5c8be0535bbe1d72b6a03d35e99f896cc86d45aa52d81c4ce6ac96d5ad3a18b4
-
Filesize
1.1MB
MD5a0256a1a007911f53f83941f5afa5d16
SHA1549d496171239b5a8c6563c84447d701c7ab4180
SHA256dc717f613c531df66e04f17cb2718064c1e3f469c585008eebf98cd69928274f
SHA512dd9b0b755c92d4c83e351997f9f0aae16b42a3661e8be4a2b8bf816490d37d5405d52edf3bcfc96d3a7d03139f1fa782cda9d4bc8b307fcc64054fe7072079c2