vipkeylogger | 9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840

General

Target

9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe
Size

743KB
MD5

e9f5c88ac891da1d0beccbd87d5e019d
SHA1

f967099f11090fb9f8aada10189211c98b777a0d
SHA256

9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840
SHA512

ebdfe47786bec52aaf399b35a174a05f5840d7897f85de979953b36f1611ebfe47744ab4e74dd77eefbb28525cebd64c8bfe5948ad842460c19907c649dcdb28
SSDEEP

12288:COv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPidw/3SKkypQquMKAWy:Cq5TfcdHj4fmb4a3SKaoR

Score

10^/10

vipkeylogger collection credential_access discovery keylogger stealer upx

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendMessage?chat_id=6443825857

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hymenophyllaceae.vbs	Hymenophyllaceae.exe

Executes dropped EXE 1 IoCs

pid	Process
2712	Hymenophyllaceae.exe

Loads dropped DLL 1 IoCs

pid	Process
1816	9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1816-0-0x0000000000100000-0x00000000002A5000-memory.dmp	upx
behavioral1/files/0x0007000000019311-14.dat	upx
behavioral1/memory/2712-20-0x0000000000D30000-0x0000000000ED5000-memory.dmp	upx
behavioral1/memory/1816-18-0x0000000000100000-0x00000000002A5000-memory.dmp	upx
behavioral1/memory/2712-40-0x0000000000D30000-0x0000000000ED5000-memory.dmp	upx

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1816-18-0x0000000000100000-0x00000000002A5000-memory.dmp	autoit_exe
behavioral1/memory/2712-40-0x0000000000D30000-0x0000000000ED5000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2712 set thread context of 2956	2712	Hymenophyllaceae.exe	31

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hymenophyllaceae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2956	svchost.exe
2956	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2712	Hymenophyllaceae.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	svchost.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1816	9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe
1816	9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe
2712	Hymenophyllaceae.exe
2712	Hymenophyllaceae.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1816	9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe
1816	9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe
2712	Hymenophyllaceae.exe
2712	Hymenophyllaceae.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 2712	1816	9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe	30
PID 1816 wrote to memory of 2712	1816	9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe	30
PID 1816 wrote to memory of 2712	1816	9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe	30
PID 1816 wrote to memory of 2712	1816	9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe	30
PID 2712 wrote to memory of 2956	2712	Hymenophyllaceae.exe	31
PID 2712 wrote to memory of 2956	2712	Hymenophyllaceae.exe	31
PID 2712 wrote to memory of 2956	2712	Hymenophyllaceae.exe	31
PID 2712 wrote to memory of 2956	2712	Hymenophyllaceae.exe	31
PID 2712 wrote to memory of 2956	2712	Hymenophyllaceae.exe	31

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe

C:\Users\Admin\AppData\Local\Temp\9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe
"C:\Users\Admin\AppData\Local\Temp\9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Users\Admin\AppData\Local\extrorsal\Hymenophyllaceae.exe
  "C:\Users\Admin\AppData\Local\Temp\9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

Browser Information Discovery

1

T1217

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\intemeration

Filesize
58KB

MD5
44086d7a46f74b283701e6ae5e9baee3

SHA1
b0a44d968b0cb91f4f4f2b87369e3f40cbb7e3e0

SHA256
f62211bd921aea032d47294694e68376002dacec12b8e6b44ebd3d9350043a15

SHA512
57b094bb14ab82b26c347c01cedffcbd7cc768e8ef1ef765767393a83af950f2fc9d14df2ce3934ed6858336d6e0dff8369a5be33714dc2c70ce78fbaa0c0026

Download Submit
\Users\Admin\AppData\Local\extrorsal\Hymenophyllaceae.exe

Filesize
743KB

MD5
e9f5c88ac891da1d0beccbd87d5e019d

SHA1
f967099f11090fb9f8aada10189211c98b777a0d

SHA256
9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840

SHA512
ebdfe47786bec52aaf399b35a174a05f5840d7897f85de979953b36f1611ebfe47744ab4e74dd77eefbb28525cebd64c8bfe5948ad842460c19907c649dcdb28

Download Submit
memory/1816-0-0x0000000000100000-0x00000000002A5000-memory.dmp

Filesize
1.6MB

Download
memory/1816-12-0x00000000000F0000-0x00000000000F4000-memory.dmp

Filesize
16KB

Download
memory/1816-48-0x0000000002AF0000-0x0000000002C95000-memory.dmp

Filesize
1.6MB

Download
memory/1816-18-0x0000000000100000-0x00000000002A5000-memory.dmp

Filesize
1.6MB

Download
memory/2712-40-0x0000000000D30000-0x0000000000ED5000-memory.dmp

Filesize
1.6MB

Download
memory/2712-20-0x0000000000D30000-0x0000000000ED5000-memory.dmp

Filesize
1.6MB

Download
memory/2956-44-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/2956-36-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2956-41-0x000000007431E000-0x000000007431F000-memory.dmp

Filesize
4KB

Download
memory/2956-42-0x0000000001EB0000-0x0000000001F00000-memory.dmp

Filesize
320KB

Download
memory/2956-43-0x0000000004080000-0x00000000040CE000-memory.dmp

Filesize
312KB

Download
memory/2956-38-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2956-45-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/2956-46-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/2956-47-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/2956-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2956-49-0x000000007431E000-0x000000007431F000-memory.dmp

Filesize
4KB

Download
memory/2956-50-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/2956-51-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing