vipkeylogger | d7e2d66756254a7d6b9ed19e319bb50aab22c403febf74018b969f177be69ce7

General

Target

#docs_8299010377388200191-pdf.js
Size

2KB
MD5

a3eba0dbcc62421aa69570771fcd82cf
SHA1

bac941af82effa0d32d14654a3e3d288eda0f553
SHA256

d7e2d66756254a7d6b9ed19e319bb50aab22c403febf74018b969f177be69ce7
SHA512

3fe59dbabaafcd73a84264eecc1a86eb87533bb64b4c1248127342e9a805fb660df81bba232c6f12719cd1ac8aa3f457942d49277e6f0be92ac77c211e3e9720

Score

10^/10

vipkeylogger collection discovery execution keylogger spyware stealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7611035255:AAG6J_WQ-wtnA6fnjVOncSf7x3AgQMz3pIk/sendMessage?chat_id=7469598136

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2068	wscript.exe
7	2068	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
2848	titan-crypter-output_titanadminsecure.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	titan-crypter-output_titanadminsecure.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	titan-crypter-output_titanadminsecure.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	titan-crypter-output_titanadminsecure.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	checkip.dyndns.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	titan-crypter-output_titanadminsecure.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2848	titan-crypter-output_titanadminsecure.exe
2848	titan-crypter-output_titanadminsecure.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	titan-crypter-output_titanadminsecure.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2068	wscript.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2848	2068	wscript.exe	31
PID 2068 wrote to memory of 2848	2068	wscript.exe	31
PID 2068 wrote to memory of 2848	2068	wscript.exe	31
PID 2068 wrote to memory of 2848	2068	wscript.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	titan-crypter-output_titanadminsecure.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	titan-crypter-output_titanadminsecure.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#docs_8299010377388200191-pdf.js
1⤵
- Blocklisted process makes network request
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\titan-crypter-output_titanadminsecure\titan-crypter-output_titanadminsecure.exe
  "C:\Users\Admin\AppData\Local\Temp\titan-crypter-output_titanadminsecure\titan-crypter-output_titanadminsecure.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TITAN-~1.ZIP

Filesize
54KB

MD5
fa445f1720e1b602de6eea91aa3f45d3

SHA1
4ba939123e8acd6afd5191a145f23cca4b168cc6

SHA256
0cdcbcdd71ab1f5d0bb0676d37382b00c131fdf253a90dbaa57a2f3deeec78e3

SHA512
45f805c7f510f32a5abd4d73351936aec44b3116a42aa11960a024426bc0aacde420e3500e0dd3cff9f940ea05b3ac7051277558a1a3c3323acc614e1b628f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\titan-crypter-output_titanadminsecure\titan-crypter-output_titanadminsecure.exe

Filesize
205KB

MD5
54e2dec7f1d626d27c77ac4120f0067e

SHA1
a2adb06e82bf86ec1b9e87b978c91a60e373b7e4

SHA256
de438de16b4f43d13405c49a765d7c3ce3569f72014fcdb59a88643807282758

SHA512
788c2e306a16259ad8ff879a7757761408dcad56ab838031cbd7d5442222f37238ace84169c3b2e1f8e58dc7bda625989748182d17d0a51a762f68c64944041e

Download Submit
memory/2068-22-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/2848-40-0x000000007402E000-0x000000007402F000-memory.dmp

Filesize
4KB

Download
memory/2848-41-0x00000000003B0000-0x00000000003E8000-memory.dmp

Filesize
224KB

Download
memory/2848-42-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2848-43-0x000000007402E000-0x000000007402F000-memory.dmp

Filesize
4KB

Download
memory/2848-44-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2848-45-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2848-46-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing