vipkeylogger | 2e44a9d4c4222298ee7bc1826fea1324bce8c22149ac188f3d62993b7ea18196

General

Target

お見積り依頼.exe
Size

798KB
MD5

d705e3b00a1125882c95bdfbb1bbf75a
SHA1

e3088a8c568b42841be80bd7cc33713cc71eb1cf
SHA256

a4e1e0459aaae381373eddecc0d421f6750cc55313a9f2afda5a2490863e6766
SHA512

0793ad7c7f5d183c5d226c629378ab1ee89df33f9ec85175dd86ec190e10f4e87aa25305001ee5aa5a90a4dad0d55380f5c01c7b2700acd89d7738f42ec2335c
SSDEEP

24576:w1SoVmA5mFsXVw68oDqIUxMDu/JtOTGPQHHJq:US2Tjx8VIeFGHJq

Score

10^/10

vipkeylogger discovery keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.hgdijitalbaski.com
Port:
587
Username:
[email protected]
Password:
05310325799habil
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
33	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3416 set thread context of 4232	3416	お見積り依頼.exe	98

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4792	4232	WerFault.exe	98

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	お見積り依頼.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	お見積り依頼.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3416	お見積り依頼.exe
3416	お見積り依頼.exe
4232	お見積り依頼.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3416	お見積り依頼.exe
Token: SeDebugPrivilege	4232	お見積り依頼.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 5040	3416	お見積り依頼.exe	97
PID 3416 wrote to memory of 5040	3416	お見積り依頼.exe	97
PID 3416 wrote to memory of 5040	3416	お見積り依頼.exe	97
PID 3416 wrote to memory of 4232	3416	お見積り依頼.exe	98
PID 3416 wrote to memory of 4232	3416	お見積り依頼.exe	98
PID 3416 wrote to memory of 4232	3416	お見積り依頼.exe	98
PID 3416 wrote to memory of 4232	3416	お見積り依頼.exe	98
PID 3416 wrote to memory of 4232	3416	お見積り依頼.exe	98
PID 3416 wrote to memory of 4232	3416	お見積り依頼.exe	98
PID 3416 wrote to memory of 4232	3416	お見積り依頼.exe	98
PID 3416 wrote to memory of 4232	3416	お見積り依頼.exe	98

C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
"C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
  "C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"
  2⤵
  PID:5040
- C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe
  "C:\Users\Admin\AppData\Local\Temp\お見積り依頼.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1516
    3⤵
    - Program crash
    PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4232 -ip 4232
1⤵
PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\お見積り依頼.exe.log

Filesize
1KB

MD5
4cc6f03aae7dcd01ad96a90ae64d2d54

SHA1
a31aee650d19ebd041daa9ed64e72eaa2706ccae

SHA256
7d5eafc003a5754c6759c4d7d8254d86d938bb7adf2a7b2808f7a0c8b6aa4f60

SHA512
f131c2f8f39bb0809b54b34dc9d9015241412588b7e2fed1c82adb30ac94dffb2acf2af4256ddb7d511104e0807b11752a62c9819595728bf911a13456dcb248

Download Submit
memory/3416-8-0x00000000745CE000-0x00000000745CF000-memory.dmp

Filesize
4KB

Download
memory/3416-15-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/3416-3-0x0000000004E60000-0x0000000004EF2000-memory.dmp

Filesize
584KB

Download
memory/3416-4-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/3416-5-0x0000000004F10000-0x0000000004F1A000-memory.dmp

Filesize
40KB

Download
memory/3416-6-0x0000000005170000-0x000000000520C000-memory.dmp

Filesize
624KB

Download
memory/3416-7-0x0000000006330000-0x000000000634C000-memory.dmp

Filesize
112KB

Download
memory/3416-0-0x00000000745CE000-0x00000000745CF000-memory.dmp

Filesize
4KB

Download
memory/3416-2-0x0000000005310000-0x00000000058B4000-memory.dmp

Filesize
5.6MB

Download
memory/3416-9-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/3416-10-0x0000000004870000-0x00000000048FC000-memory.dmp

Filesize
560KB

Download
memory/3416-1-0x0000000000500000-0x00000000005CE000-memory.dmp

Filesize
824KB

Download
memory/4232-14-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/4232-11-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4232-16-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/4232-17-0x00000000069F0000-0x0000000006A38000-memory.dmp

Filesize
288KB

Download
memory/4232-18-0x0000000006B50000-0x0000000006C5E000-memory.dmp

Filesize
1.1MB

Download
memory/4232-19-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing