vipkeylogger | 79d9270edbf86a9503b71bb27d04a88c1f8506fadad7b702adf97c5893f6cb14

General

Target

REVISED INVOICE.exe
Size

772KB
MD5

76f0f7efa38fee04f22a3836c7f8f2d3
SHA1

68bccecfc0128f4542ffc35aa4a4644c3f9fff0e
SHA256

79d9270edbf86a9503b71bb27d04a88c1f8506fadad7b702adf97c5893f6cb14
SHA512

9f71c798af7d25ebdf63d5a7987bca41ba2ff3eb379a70b971730c9291a4f44238c4b3f66f9d38968315581424e801a49e9f24df0e53ed94a62184553b36bf1c
SSDEEP

12288:TlqG7jVsASFomUxB/U7UYyDD34kNn71L2PC2jxxjbaS47pxfd/TJQ8XV7XkR:b7RSOxP/JYy33Dpd2xv4VhfQ8lm

Score

10^/10

vipkeylogger collection discovery execution keylogger spyware stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
smtp.ionos.fr
Port:
587
Username:
[email protected]
Password:
Jc.2o3o@
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2316	powershell.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	REVISED INVOICE.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	REVISED INVOICE.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	REVISED INVOICE.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2380 set thread context of 2860	2380	REVISED INVOICE.exe	35

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REVISED INVOICE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REVISED INVOICE.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2380	REVISED INVOICE.exe
2380	REVISED INVOICE.exe
2380	REVISED INVOICE.exe
2380	REVISED INVOICE.exe
2380	REVISED INVOICE.exe
2860	REVISED INVOICE.exe
2316	powershell.exe
2860	REVISED INVOICE.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	REVISED INVOICE.exe
Token: SeDebugPrivilege	2860	REVISED INVOICE.exe
Token: SeDebugPrivilege	2316	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2316	2380	REVISED INVOICE.exe	31
PID 2380 wrote to memory of 2316	2380	REVISED INVOICE.exe	31
PID 2380 wrote to memory of 2316	2380	REVISED INVOICE.exe	31
PID 2380 wrote to memory of 2316	2380	REVISED INVOICE.exe	31
PID 2380 wrote to memory of 2756	2380	REVISED INVOICE.exe	33
PID 2380 wrote to memory of 2756	2380	REVISED INVOICE.exe	33
PID 2380 wrote to memory of 2756	2380	REVISED INVOICE.exe	33
PID 2380 wrote to memory of 2756	2380	REVISED INVOICE.exe	33
PID 2380 wrote to memory of 2860	2380	REVISED INVOICE.exe	35
PID 2380 wrote to memory of 2860	2380	REVISED INVOICE.exe	35
PID 2380 wrote to memory of 2860	2380	REVISED INVOICE.exe	35
PID 2380 wrote to memory of 2860	2380	REVISED INVOICE.exe	35
PID 2380 wrote to memory of 2860	2380	REVISED INVOICE.exe	35
PID 2380 wrote to memory of 2860	2380	REVISED INVOICE.exe	35
PID 2380 wrote to memory of 2860	2380	REVISED INVOICE.exe	35
PID 2380 wrote to memory of 2860	2380	REVISED INVOICE.exe	35
PID 2380 wrote to memory of 2860	2380	REVISED INVOICE.exe	35

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	REVISED INVOICE.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	REVISED INVOICE.exe

C:\Users\Admin\AppData\Local\Temp\REVISED INVOICE.exe
"C:\Users\Admin\AppData\Local\Temp\REVISED INVOICE.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JfOfGZQ.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JfOfGZQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF650.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\REVISED INVOICE.exe
  "C:\Users\Admin\AppData\Local\Temp\REVISED INVOICE.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Browser Information Discovery

1

T1217

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF650.tmp

Filesize
1KB

MD5
2fe33f59e461f64d005d681861743c40

SHA1
1d345cd4bae2269209348c7f9e529d4fb76a7900

SHA256
875f13ad2c9275c149fd580e43ad2a690f40fedb6bee02f76fe81ef5dc57ddff

SHA512
195aec1ec7bfe82b7dc08dddbe22268358afe83f14717509c95dab8856d47b185be24ede9a11195192908087a7cfaa0cb73eda8733b522f8246e5e81ca8d5d1b

Download Submit
memory/2380-27-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2380-1-0x0000000000B00000-0x0000000000BC2000-memory.dmp

Filesize
776KB

Download
memory/2380-2-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2380-3-0x00000000004C0000-0x00000000004DE000-memory.dmp

Filesize
120KB

Download
memory/2380-4-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/2380-5-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2380-6-0x0000000000590000-0x000000000061C000-memory.dmp

Filesize
560KB

Download
memory/2380-0-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/2860-12-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2860-16-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2860-22-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2860-24-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2860-21-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2860-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2860-19-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2860-14-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads