vipkeylogger | f2dd6d6e19c788b4cb99a657639ffbae1e7ab5ff54c121ffaac86a494cf61e4f

General

Target

YKBGunlukEkstre.exe
Size

2.9MB
MD5

8866c07b36f379aebfabee79b0f263ac
SHA1

db1121a0e6cd16ffc6e5a05a278849858aee2841
SHA256

a3011ad648631ad2cac00f423cb3d5c6a35b94a26b5975890b2c7471dd4fd503
SHA512

8d8e8d4197af67dc10451018edb98ec911958624c5de99044aaed0bc8637ab9319ae65b5f50add058f4e4a781de72782cc22f1907ccc92ab0b2fadb68456ffd6
SSDEEP

12288:1qg/g+A9KxFXIXNPR+LoyI8ViqCLZ/HhGYpwdc0D+sK:FtcK7I9PYZCLNYZO0D1K

Score

10^/10

vipkeylogger collection discovery keylogger stealer

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.akguneselektrik.com
Port:
21
Username:
akgunes
Password:
9H5xQVGg

Extracted

Family

vipkeylogger

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CasPol.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CasPol.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CasPol.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2012 set thread context of 2160	2012	YKBGunlukEkstre.exe	31

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2160	CasPol.exe
2160	CasPol.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	CasPol.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2160	2012	YKBGunlukEkstre.exe	31
PID 2012 wrote to memory of 2160	2012	YKBGunlukEkstre.exe	31
PID 2012 wrote to memory of 2160	2012	YKBGunlukEkstre.exe	31
PID 2012 wrote to memory of 2160	2012	YKBGunlukEkstre.exe	31
PID 2012 wrote to memory of 2160	2012	YKBGunlukEkstre.exe	31
PID 2012 wrote to memory of 2160	2012	YKBGunlukEkstre.exe	31
PID 2012 wrote to memory of 2160	2012	YKBGunlukEkstre.exe	31
PID 2012 wrote to memory of 2160	2012	YKBGunlukEkstre.exe	31
PID 2012 wrote to memory of 2160	2012	YKBGunlukEkstre.exe	31
PID 2012 wrote to memory of 2124	2012	YKBGunlukEkstre.exe	32
PID 2012 wrote to memory of 2124	2012	YKBGunlukEkstre.exe	32
PID 2012 wrote to memory of 2124	2012	YKBGunlukEkstre.exe	32

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CasPol.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	CasPol.exe

C:\Users\Admin\AppData\Local\Temp\YKBGunlukEkstre.exe
"C:\Users\Admin\AppData\Local\Temp\YKBGunlukEkstre.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2160
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2012 -s 728
  2⤵
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

1

T1217

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2012-0-0x000007FEF59C3000-0x000007FEF59C4000-memory.dmp

Filesize
4KB

Download
memory/2012-1-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/2012-2-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

Filesize
9.9MB

Download
memory/2012-3-0x000007FEF59C3000-0x000007FEF59C4000-memory.dmp

Filesize
4KB

Download
memory/2012-4-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

Filesize
9.9MB

Download
memory/2012-5-0x000000001A680000-0x000000001A71C000-memory.dmp

Filesize
624KB

Download
memory/2160-6-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2160-9-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2160-12-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2160-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2160-8-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2160-10-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2160-16-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2160-14-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2160-17-0x000000007405E000-0x000000007405F000-memory.dmp

Filesize
4KB

Download
memory/2160-18-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/2160-19-0x000000007405E000-0x000000007405F000-memory.dmp

Filesize
4KB

Download
memory/2160-20-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads