vipkeylogger | 9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840

General

Target

9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe
Size

743KB
MD5

e9f5c88ac891da1d0beccbd87d5e019d
SHA1

f967099f11090fb9f8aada10189211c98b777a0d
SHA256

9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840
SHA512

ebdfe47786bec52aaf399b35a174a05f5840d7897f85de979953b36f1611ebfe47744ab4e74dd77eefbb28525cebd64c8bfe5948ad842460c19907c649dcdb28
SSDEEP

12288:COv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPidw/3SKkypQquMKAWy:Cq5TfcdHj4fmb4a3SKaoR

Score

10^/10

vipkeylogger discovery keylogger stealer upx

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendMessage?chat_id=6443825857

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hymenophyllaceae.vbs	Hymenophyllaceae.exe

Executes dropped EXE 1 IoCs

pid	Process
3056	Hymenophyllaceae.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4716-0-0x0000000000140000-0x00000000002E5000-memory.dmp	upx
behavioral2/files/0x000600000002270e-15.dat	upx
behavioral2/memory/3056-17-0x0000000000B30000-0x0000000000CD5000-memory.dmp	upx
behavioral2/memory/4716-19-0x0000000000140000-0x00000000002E5000-memory.dmp	upx
behavioral2/memory/3056-39-0x0000000000B30000-0x0000000000CD5000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	checkip.dyndns.org

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4716-19-0x0000000000140000-0x00000000002E5000-memory.dmp	autoit_exe
behavioral2/memory/3056-39-0x0000000000B30000-0x0000000000CD5000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3056 set thread context of 3436	3056	Hymenophyllaceae.exe	88

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hymenophyllaceae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3436	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3056	Hymenophyllaceae.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3436	svchost.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4716	9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe
4716	9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe
3056	Hymenophyllaceae.exe
3056	Hymenophyllaceae.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4716	9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe
4716	9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe
3056	Hymenophyllaceae.exe
3056	Hymenophyllaceae.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 3056	4716	9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe	87
PID 4716 wrote to memory of 3056	4716	9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe	87
PID 4716 wrote to memory of 3056	4716	9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe	87
PID 3056 wrote to memory of 3436	3056	Hymenophyllaceae.exe	88
PID 3056 wrote to memory of 3436	3056	Hymenophyllaceae.exe	88
PID 3056 wrote to memory of 3436	3056	Hymenophyllaceae.exe	88
PID 3056 wrote to memory of 3436	3056	Hymenophyllaceae.exe	88

C:\Users\Admin\AppData\Local\Temp\9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe
"C:\Users\Admin\AppData\Local\Temp\9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Users\Admin\AppData\Local\extrorsal\Hymenophyllaceae.exe
  "C:\Users\Admin\AppData\Local\Temp\9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hepatoduodenostomy

Filesize
203KB

MD5
d6b7e412b4cf323d74da9896bf40e283

SHA1
0230dc1b7ba49cfba6d0e995406889b1f37509ee

SHA256
63a0bd31fbb63275ab4d15e401fffa464318021a017553bcba795f9fa52a77d0

SHA512
294171964e5d0fe02d5d40c922922b0aba020a2e3e1db997a47ea57419671645d61bc223d3c0f90665a9182f08fc07369849bae37b7d526a59585329139551a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\intemeration

Filesize
58KB

MD5
44086d7a46f74b283701e6ae5e9baee3

SHA1
b0a44d968b0cb91f4f4f2b87369e3f40cbb7e3e0

SHA256
f62211bd921aea032d47294694e68376002dacec12b8e6b44ebd3d9350043a15

SHA512
57b094bb14ab82b26c347c01cedffcbd7cc768e8ef1ef765767393a83af950f2fc9d14df2ce3934ed6858336d6e0dff8369a5be33714dc2c70ce78fbaa0c0026

Download Submit
C:\Users\Admin\AppData\Local\extrorsal\Hymenophyllaceae.exe

Filesize
743KB

MD5
e9f5c88ac891da1d0beccbd87d5e019d

SHA1
f967099f11090fb9f8aada10189211c98b777a0d

SHA256
9c6b53051039e6e3ada670ef5c591e69e3cadae46b3e78510cadb800d2379840

SHA512
ebdfe47786bec52aaf399b35a174a05f5840d7897f85de979953b36f1611ebfe47744ab4e74dd77eefbb28525cebd64c8bfe5948ad842460c19907c649dcdb28

Download Submit
memory/3056-39-0x0000000000B30000-0x0000000000CD5000-memory.dmp

Filesize
1.6MB

Download
memory/3056-17-0x0000000000B30000-0x0000000000CD5000-memory.dmp

Filesize
1.6MB

Download
memory/3436-37-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3436-43-0x0000000005DA0000-0x0000000005DEE000-memory.dmp

Filesize
312KB

Download
memory/3436-34-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3436-36-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3436-49-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3436-47-0x0000000006F00000-0x0000000006F92000-memory.dmp

Filesize
584KB

Download
memory/3436-35-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3436-40-0x0000000073B8E000-0x0000000073B8F000-memory.dmp

Filesize
4KB

Download
memory/3436-41-0x0000000005CE0000-0x0000000005D30000-memory.dmp

Filesize
320KB

Download
memory/3436-42-0x00000000065B0000-0x0000000006B54000-memory.dmp

Filesize
5.6MB

Download
memory/3436-46-0x0000000073B8E000-0x0000000073B8F000-memory.dmp

Filesize
4KB

Download
memory/3436-44-0x00000000060A0000-0x000000000613C000-memory.dmp

Filesize
624KB

Download
memory/3436-45-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4716-19-0x0000000000140000-0x00000000002E5000-memory.dmp

Filesize
1.6MB

Download
memory/4716-0-0x0000000000140000-0x00000000002E5000-memory.dmp

Filesize
1.6MB

Download
memory/4716-12-0x00000000039D0000-0x00000000039D4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing