vipkeylogger | 36072f64891875212e9f45cc11d64d1bfdbe9a8caa55cdb1f488d7ac1c232074

General

Target

PAYMENT INFO.exe
Size

774KB
MD5

6dccb1dd8e7b7fe9d9f138caaea7f420
SHA1

038fec3f89b09fad5e74dc978b00635f39da3bd0
SHA256

36072f64891875212e9f45cc11d64d1bfdbe9a8caa55cdb1f488d7ac1c232074
SHA512

01e81b6609ebacf1234ec22206c03b67dd7e0e318ab27f6dbb84bdf0ccf6514e45563145fc6b893e041af42dcc167e9caaf388d34d5a5ded7f6cb7062db173b3
SSDEEP

12288:dVf55k2851Elq/61UJp2Xen07Ow4BuYwOcFB7YTcYeQ8dRrrllE3Oix4r:J5x5lUJgXk07x4tiUcBFHrFEi

Score

10^/10

vipkeylogger collection credential_access discovery keylogger spyware stealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7470097193:AAH7g9zj8FQx12YOFkn9mZO_1-BTN4b6gKo/sendMessage?chat_id=6155920142

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PAYMENT INFO.exe
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PAYMENT INFO.exe
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PAYMENT INFO.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1292 set thread context of 3672	1292	PAYMENT INFO.exe	94

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1292	PAYMENT INFO.exe
3672	PAYMENT INFO.exe
3672	PAYMENT INFO.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1292	PAYMENT INFO.exe
Token: SeDebugPrivilege	3672	PAYMENT INFO.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 3672	1292	PAYMENT INFO.exe	94
PID 1292 wrote to memory of 3672	1292	PAYMENT INFO.exe	94
PID 1292 wrote to memory of 3672	1292	PAYMENT INFO.exe	94
PID 1292 wrote to memory of 3672	1292	PAYMENT INFO.exe	94
PID 1292 wrote to memory of 3672	1292	PAYMENT INFO.exe	94
PID 1292 wrote to memory of 3672	1292	PAYMENT INFO.exe	94

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PAYMENT INFO.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PAYMENT INFO.exe

C:\Users\Admin\AppData\Local\Temp\PAYMENT INFO.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT INFO.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\PAYMENT INFO.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT INFO.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:3672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Browser Information Discovery

1

T1217

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PAYMENT INFO.exe.log

Filesize
1KB

MD5
00e11b196d5ba77191cba469e8925764

SHA1
f1546b803f20c8b4010f862843edc0b0771a681b

SHA256
abfc56372bee93b3c083a66ac449e55f824c5ef64cbb87d656011cc0ff1ec6c1

SHA512
985bd5a4d4f516701e54a4c361dd3a454cb107694cd240336e32365822f49b47f0a2e0cc04ae7866bfd4d142175540bb329f02f3e1b990e9a09c63c2e258f0a7

Download Submit
memory/1292-8-0x000000001D900000-0x000000001D988000-memory.dmp

Filesize
544KB

Download
memory/1292-3-0x0000000001AD0000-0x0000000001AF4000-memory.dmp

Filesize
144KB

Download
memory/1292-1-0x0000000000BC0000-0x0000000000C86000-memory.dmp

Filesize
792KB

Download
memory/1292-12-0x00007FFDD28E0000-0x00007FFDD33A1000-memory.dmp

Filesize
10.8MB

Download
memory/1292-5-0x00007FFDD28E0000-0x00007FFDD33A1000-memory.dmp

Filesize
10.8MB

Download
memory/1292-6-0x0000000001B00000-0x0000000001B16000-memory.dmp

Filesize
88KB

Download
memory/1292-7-0x0000000001B80000-0x0000000001B94000-memory.dmp

Filesize
80KB

Download
memory/1292-0-0x00007FFDD28E3000-0x00007FFDD28E5000-memory.dmp

Filesize
8KB

Download
memory/1292-4-0x00007FFDD28E3000-0x00007FFDD28E5000-memory.dmp

Filesize
8KB

Download
memory/1292-2-0x00007FFDD28E0000-0x00007FFDD33A1000-memory.dmp

Filesize
10.8MB

Download
memory/3672-19-0x00007FFDD28E0000-0x00007FFDD33A1000-memory.dmp

Filesize
10.8MB

Download
memory/3672-13-0x00007FFDD28E0000-0x00007FFDD33A1000-memory.dmp

Filesize
10.8MB

Download
memory/3672-14-0x00007FFDD28E0000-0x00007FFDD33A1000-memory.dmp

Filesize
10.8MB

Download
memory/3672-15-0x000000001F050000-0x000000001F212000-memory.dmp

Filesize
1.8MB

Download
memory/3672-16-0x0000000001F20000-0x0000000001F70000-memory.dmp

Filesize
320KB

Download
memory/3672-17-0x000000001F750000-0x000000001FC78000-memory.dmp

Filesize
5.2MB

Download
memory/3672-18-0x00007FFDD28E0000-0x00007FFDD33A1000-memory.dmp

Filesize
10.8MB

Download
memory/3672-9-0x0000000140000000-0x0000000140046000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing