vipkeylogger | 30e0259012e5808f7a34b0a9c7fba9194ae40bfa6fcba4a6f28787623a5f8cb1

Analysis

max time kernel
59s
max time network
31s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/10/2024, 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30e0259012e5808f7a34b0a9c7fba9194ae40bfa6fcba4a6f28787623a5f8cb1.docx
Size

319KB
MD5

2067ab5c7dccaf617d8bcd49d82377e7
SHA1

41ec569c2e6dde09b588092c01af599fdb8b3101
SHA256

30e0259012e5808f7a34b0a9c7fba9194ae40bfa6fcba4a6f28787623a5f8cb1
SHA512

1db3242c04006754127cbb14e75f4b5558908ae8b79ce9116059cd8d1acaa7787d591e4088b464e44f8dda8bfc2a8209e36246c07adb6c7470035eb6a3a5b193
SSDEEP

6144:107JHBA0B56szCXqqqqqmzYhuO+FLh5C2z9mL9:+d/qYYFNHrz98

Score

10^/10

vipkeylogger collection discovery execution keylogger spyware stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.tonicables.top
Port:
587
Username:
[email protected]
Password:
7213575aceACE@@
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	2676	EQNEDT32.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2236	powershell.exe

Downloads MZ/PE file
Abuses OpenXML format to download file from external location

Executes dropped EXE 2 IoCs

pid	Process
484	rekigobi34567.exe
3004	rekigobi34567.exe

Loads dropped DLL 1 IoCs

pid	Process
2676	EQNEDT32.EXE

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rekigobi34567.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rekigobi34567.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rekigobi34567.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	checkip.dyndns.org

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 484 set thread context of 3004	484	rekigobi34567.exe	37

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rekigobi34567.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rekigobi34567.exe

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2676	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3012	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3004	rekigobi34567.exe
2236	powershell.exe
3004	rekigobi34567.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	rekigobi34567.exe
Token: SeDebugPrivilege	2236	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3012	WINWORD.EXE
3012	WINWORD.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 484	2676	EQNEDT32.EXE	32
PID 2676 wrote to memory of 484	2676	EQNEDT32.EXE	32
PID 2676 wrote to memory of 484	2676	EQNEDT32.EXE	32
PID 2676 wrote to memory of 484	2676	EQNEDT32.EXE	32
PID 3012 wrote to memory of 1760	3012	WINWORD.EXE	35
PID 3012 wrote to memory of 1760	3012	WINWORD.EXE	35
PID 3012 wrote to memory of 1760	3012	WINWORD.EXE	35
PID 3012 wrote to memory of 1760	3012	WINWORD.EXE	35
PID 484 wrote to memory of 2236	484	rekigobi34567.exe	36
PID 484 wrote to memory of 2236	484	rekigobi34567.exe	36
PID 484 wrote to memory of 2236	484	rekigobi34567.exe	36
PID 484 wrote to memory of 2236	484	rekigobi34567.exe	36
PID 484 wrote to memory of 3004	484	rekigobi34567.exe	37
PID 484 wrote to memory of 3004	484	rekigobi34567.exe	37
PID 484 wrote to memory of 3004	484	rekigobi34567.exe	37
PID 484 wrote to memory of 3004	484	rekigobi34567.exe	37
PID 484 wrote to memory of 3004	484	rekigobi34567.exe	37
PID 484 wrote to memory of 3004	484	rekigobi34567.exe	37
PID 484 wrote to memory of 3004	484	rekigobi34567.exe	37
PID 484 wrote to memory of 3004	484	rekigobi34567.exe	37
PID 484 wrote to memory of 3004	484	rekigobi34567.exe	37

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rekigobi34567.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rekigobi34567.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\30e0259012e5808f7a34b0a9c7fba9194ae40bfa6fcba4a6f28787623a5f8cb1.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1760

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Roaming\rekigobi34567.exe
  "C:\Users\Admin\AppData\Roaming\rekigobi34567.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rekigobi34567.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- - C:\Users\Admin\AppData\Roaming\rekigobi34567.exe
    "C:\Users\Admin\AppData\Roaming\rekigobi34567.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
2b308bb62fa318a25f41975e56a05cd6

SHA1
e4107cdafd98bb8a484ca6decfee839f0cd3ee19

SHA256
cdea8f35126837d69101ce820fc37fab3944287dcce519ef7a5600a7ab539921

SHA512
241e8a9b87b8a27a8da7b18aa913510c9afcb20b0c49e9f44d9bf97c7fb300046204bb1c576b46c82104d6b23f5af036479b9f8600605f7bd3d0675439e83cef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\7vbu8ZW8lFI8mn5[1].doc

Filesize
687KB

MD5
00c4c82a063c048c37808a72ea1f04e3

SHA1
9ab87b7393168e6a3f181524ee69c818bd70cff6

SHA256
fe6dc6138bf4bd851087fcc708493877ff458ba2da42f499ced66164e8e9dcd2

SHA512
5194e8fc20dccdec0b1b7f7a30a500a4696868646ab9adc7e8974e737ebaf2191aa0cac1bc50dbe89c6623598fcbb3505c0ff46ec9114d94aacf3caa8dfed3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{79E22A1C-E48D-4510-932D-BA1F0EE34C2A}

Filesize
128KB

MD5
86ecabda042bad2aa9d254725cb173ea

SHA1
aea8349cc9bdb19de77bdc9dd449321dfe049e7c

SHA256
9189af240de3977e7bd77259097eaef3da761ae4b3a086c76008e50d3cc1bf26

SHA512
660b4d56330e65ae8667345164825eef5425125d8dcbcb727417de379f0e5d86a4ea6322eb9791f1b4b9c5a02be18c01f4f84dea0a47921676dc54d2ddc63ff5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Roaming\rekigobi34567.exe

Filesize
730KB

MD5
07188bef748562cde18f2b77f76bae94

SHA1
70f3fddd3fb0030e4e7422a41d560374c463e1dc

SHA256
2a53872f573a1817be1848779e60c7db22501badc0afd7f364ee30a77dce3395

SHA512
fab75b7746af8b04bda1361737d47e33bb770be79872830722bf4affe2231d222c01032f73f48d92268027a20e0eb230c7c8ff3a94b6813b2ce4dd445e6ddf94

Download Submit
memory/484-103-0x00000000004C0000-0x00000000004DC000-memory.dmp

Filesize
112KB

Download
memory/484-104-0x0000000005230000-0x00000000052BA000-memory.dmp

Filesize
552KB

Download
memory/484-94-0x0000000000A10000-0x0000000000ACC000-memory.dmp

Filesize
752KB

Download
memory/3004-113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3004-116-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3004-118-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3004-114-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3004-111-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3004-109-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3004-107-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3004-105-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3012-102-0x0000000070FAD000-0x0000000070FB8000-memory.dmp

Filesize
44KB

Download
memory/3012-0-0x000000002F9C1000-0x000000002F9C2000-memory.dmp

Filesize
4KB

Download
memory/3012-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3012-2-0x0000000070FAD000-0x0000000070FB8000-memory.dmp

Filesize
44KB

Download