vipkeylogger | 6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099

General

Target

6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099.exe
Size

607KB
MD5

51c9f6d4e1e35f7c17200b1294fffcd2
SHA1

ca0b064a1cf6a2ca2ae702d2a037efb5175fd183
SHA256

6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099
SHA512

db2433a67b5467430feadb6d79068d555fb9f6b61cff845f246a03e9a652801c85f780b5df18bd02d0546af1ba4cfa5c191779d67bf72fa6bd460dad91eff6ae
SSDEEP

12288:93hOsNnpxA98r1sSMqyqTnRK/jUeVInHVNmiuIfR2iWdoJk/6Y:5IknpxA98r1sSByq1KADWKg9b

Score

10^/10

vipkeylogger collection discovery keylogger stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.ardvessels.com
Port:
587
Username:
[email protected]
Password:
751555ardT

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.ardvessels.com
Port:
587
Username:
[email protected]
Password:
751555ardT
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2912 set thread context of 3008	2912	6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099.exe	31

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3008	jsc.exe
3008	jsc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	jsc.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2796	2912	6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099.exe	30
PID 2912 wrote to memory of 2796	2912	6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099.exe	30
PID 2912 wrote to memory of 2796	2912	6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099.exe	30
PID 2912 wrote to memory of 2796	2912	6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099.exe	30
PID 2912 wrote to memory of 2796	2912	6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099.exe	30
PID 2912 wrote to memory of 2796	2912	6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099.exe	30
PID 2912 wrote to memory of 2796	2912	6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099.exe	30
PID 2912 wrote to memory of 3008	2912	6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099.exe	31
PID 2912 wrote to memory of 3008	2912	6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099.exe	31
PID 2912 wrote to memory of 3008	2912	6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099.exe	31
PID 2912 wrote to memory of 3008	2912	6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099.exe	31
PID 2912 wrote to memory of 3008	2912	6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099.exe	31
PID 2912 wrote to memory of 3008	2912	6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099.exe	31
PID 2912 wrote to memory of 3008	2912	6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099.exe	31
PID 2912 wrote to memory of 3008	2912	6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099.exe	31
PID 2912 wrote to memory of 3008	2912	6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099.exe	31
PID 2912 wrote to memory of 2756	2912	6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099.exe	32
PID 2912 wrote to memory of 2756	2912	6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099.exe	32
PID 2912 wrote to memory of 2756	2912	6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099.exe	32

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

C:\Users\Admin\AppData\Local\Temp\6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099.exe
"C:\Users\Admin\AppData\Local\Temp\6b76eb508fb4236757a2bae20bf0f13b232f66845ee10e207af3c3e48eb80099.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:3008
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2912 -s 620
  2⤵
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

1

T1217

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2912-0-0x000007FEF5003000-0x000007FEF5004000-memory.dmp

Filesize
4KB

Download
memory/2912-1-0x0000000001200000-0x000000000129C000-memory.dmp

Filesize
624KB

Download
memory/2912-2-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

Filesize
9.9MB

Download
memory/2912-15-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

Filesize
9.9MB

Download
memory/3008-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3008-12-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3008-10-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3008-8-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3008-4-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3008-6-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3008-5-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3008-13-0x0000000073C3E000-0x0000000073C3F000-memory.dmp

Filesize
4KB

Download
memory/3008-14-0x0000000073C30000-0x000000007431E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-3-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3008-16-0x0000000073C3E000-0x0000000073C3F000-memory.dmp

Filesize
4KB

Download
memory/3008-17-0x0000000073C30000-0x000000007431E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads