vipkeylogger | aca3d8614954a35938653f8a26effa4f96952d8227222ca57dda6ab7cd607424

General

Target

aca3d8614954a35938653f8a26effa4f96952d8227222ca57dda6ab7cd607424.docx
Size

459KB
MD5

d2d23ccc53607370c926fe786f92c75b
SHA1

8a84a9083d5b1e26fb9d0374efec7b259a3d059b
SHA256

aca3d8614954a35938653f8a26effa4f96952d8227222ca57dda6ab7cd607424
SHA512

2a38f263819d6350fdcc7e12345d68dbb6745eedef50ac261b488f73e534e0cc568c0d7dd909ca1bc438e436a9148aaf0f38f86792d8a92c174faef37e4396ca
SSDEEP

6144:hdlcbR5HastSFXbqUAbqUAbqUvyLE8IIIIIW0ru0rqme6eeCe9vCeXhdYp9tmYL2:zARtUVhpr/rqIXM9mrm9Bt2mhW8G0Yf

Score

10^/10

vipkeylogger collection discovery execution keylogger spyware stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.covid19support.top
Port:
587
Username:
[email protected]
Password:
7213575aceACE@@
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 2680 EQNEDT32.EXE
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1608 powershell.exe
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Executes dropped EXE 2 IoCs

Processes:

wealthcharliebgk.exewealthcharliebgk.exe

pid process

2820 wealthcharliebgk.exe
236 wealthcharliebgk.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

2680 EQNEDT32.EXE
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

flow	pid	process
7	2680	EQNEDT32.EXE

pid	process
1608	powershell.exe

pid	process
2820	wealthcharliebgk.exe
236	wealthcharliebgk.exe

pid	process
2680	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

wealthcharliebgk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 checkip.dyndns.org

flow	ioc
8	checkip.dyndns.org

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wealthcharliebgk.exe

description pid process target process

PID 2820 set thread context of 236 2820 wealthcharliebgk.exe wealthcharliebgk.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2820 set thread context of 236	2820	wealthcharliebgk.exe	wealthcharliebgk.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exeWINWORD.EXEEQNEDT32.EXEwealthcharliebgk.exewealthcharliebgk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wealthcharliebgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wealthcharliebgk.exe

Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2680 EQNEDT32.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2296 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

wealthcharliebgk.exepowershell.exe

pid process

236 wealthcharliebgk.exe
1608 powershell.exe
236 wealthcharliebgk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wealthcharliebgk.exepowershell.exe

description pid process

Token: SeDebugPrivilege 236 wealthcharliebgk.exe
Token: SeDebugPrivilege 1608 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2296 WINWORD.EXE
2296 WINWORD.EXE

pid	process
2680	EQNEDT32.EXE

pid	process
2296	WINWORD.EXE

pid	process
236	wealthcharliebgk.exe
1608	powershell.exe
236	wealthcharliebgk.exe

description	pid	process
Token: SeDebugPrivilege	236	wealthcharliebgk.exe
Token: SeDebugPrivilege	1608	powershell.exe

pid	process
2296	WINWORD.EXE
2296	WINWORD.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEwealthcharliebgk.exe

description	pid	process	target process
PID 2680 wrote to memory of 2820	2680	EQNEDT32.EXE	wealthcharliebgk.exe
PID 2680 wrote to memory of 2820	2680	EQNEDT32.EXE	wealthcharliebgk.exe
PID 2680 wrote to memory of 2820	2680	EQNEDT32.EXE	wealthcharliebgk.exe
PID 2680 wrote to memory of 2820	2680	EQNEDT32.EXE	wealthcharliebgk.exe
PID 2296 wrote to memory of 1440	2296	WINWORD.EXE	splwow64.exe
PID 2296 wrote to memory of 1440	2296	WINWORD.EXE	splwow64.exe
PID 2296 wrote to memory of 1440	2296	WINWORD.EXE	splwow64.exe
PID 2296 wrote to memory of 1440	2296	WINWORD.EXE	splwow64.exe
PID 2820 wrote to memory of 1608	2820	wealthcharliebgk.exe	powershell.exe
PID 2820 wrote to memory of 1608	2820	wealthcharliebgk.exe	powershell.exe
PID 2820 wrote to memory of 1608	2820	wealthcharliebgk.exe	powershell.exe
PID 2820 wrote to memory of 1608	2820	wealthcharliebgk.exe	powershell.exe
PID 2820 wrote to memory of 236	2820	wealthcharliebgk.exe	wealthcharliebgk.exe
PID 2820 wrote to memory of 236	2820	wealthcharliebgk.exe	wealthcharliebgk.exe
PID 2820 wrote to memory of 236	2820	wealthcharliebgk.exe	wealthcharliebgk.exe
PID 2820 wrote to memory of 236	2820	wealthcharliebgk.exe	wealthcharliebgk.exe
PID 2820 wrote to memory of 236	2820	wealthcharliebgk.exe	wealthcharliebgk.exe
PID 2820 wrote to memory of 236	2820	wealthcharliebgk.exe	wealthcharliebgk.exe
PID 2820 wrote to memory of 236	2820	wealthcharliebgk.exe	wealthcharliebgk.exe
PID 2820 wrote to memory of 236	2820	wealthcharliebgk.exe	wealthcharliebgk.exe
PID 2820 wrote to memory of 236	2820	wealthcharliebgk.exe	wealthcharliebgk.exe

outlook_office_path 1 IoCs

Processes:

wealthcharliebgk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe

outlook_win_path 1 IoCs

Processes:

wealthcharliebgk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\aca3d8614954a35938653f8a26effa4f96952d8227222ca57dda6ab7cd607424.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1440

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe
  "C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1608
- - C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe
    "C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Browser Information Discovery

1

T1217

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{782DB290-1063-4EEB-8441-EDF37403211C}.FSD

Filesize
128KB

MD5
78787527d1a10e9dd8f7cdf8f118c032

SHA1
b5e4e2c71c5e0870fb285aa52c9c64f7f0c01c41

SHA256
9a902611d960123eabf9b9111691e6715737982148f7a481229d84247f441f88

SHA512
7b878e2bb71e14238381c5a1d447c4fe08db464156190e5ad3061ef98d0855b33fb42c44b846d2578c8f65b46c4553d03b597c3b1da94daad49da77d03e056ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
c3eba9366a7254083fbd8eff0654189d

SHA1
86c5d349a83c05aca34adf7c6cec0cfe4ed1ad06

SHA256
87277b75d452dbaf23c86c0e39a2984390f8c955104fa3ea82e52a6e88a9b8d8

SHA512
e4f496f5573a214a76cedc5782872e800aee12a0a36f2a172c3848f088d1219686083d3401230aa84f867385b0f877d5116d14e0f60437359152ea928af93146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\Xkl0PnD8zFPjfh1[1].wiz

Filesize
408KB

MD5
f6e89e6c3ab17d8d58699ccefeaf3c8d

SHA1
86c245d0a2ef138aa7afca6bb43316e251b07c68

SHA256
32f5bf26d32b42212ada3e88017ad037c6c84f760a64585252576d893a00ff5f

SHA512
ab3a82dcd600c7169da373101593480a1ef8e82b2d339b5367f0e2b118f23ec3eb591a3e269de3f5d8b0e0843ec4574b33c5f98e0344c4be38a26c25caccb4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{FE408840-2DDA-4F68-9105-C18B391D24E9}

Filesize
128KB

MD5
6a1d21fb43ef4d47ae63a8d305ad674a

SHA1
759db6da08f71400ec9224f14990baccda025629

SHA256
7869255dac2bf30d43dc8b08645f91027db595cd74d897dbd6f8804fe532889f

SHA512
2aeb9eac4468fc7af1b77c59f311197bfbf59237a19ab4e7e490dcdc28aef003b24ac675f5142eb87362e8155e6c7b6d5d1f5d68f707de9067c82b809395c283

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
450B

MD5
7ccc6a3b8e748af2b1eac1e42c80a20a

SHA1
6efd9edfe0838ce37358157174c138ecf7928b33

SHA256
c25a30394caade75bd72cd72a88fa505739b437ba87b106723ac1e46a893541b

SHA512
7275b6ea968e55494c5b313cb739dc3239b4ee9ddc52ec2dabbe03ff94faa9be2712f8eb14f3054c5b62ed8b910200a3657493966c2eaaa6a466ded82ff837f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Roaming\wealthcharliebgk.exe

Filesize
768KB

MD5
ccc582f44adb0a736c9fbbfa9f20f325

SHA1
51aac7cd475ae0115f43d5069213300d6f66672c

SHA256
8278e7661e290287dbdba63e2d2c2add86c2f64da32dfb137aee4597cab76508

SHA512
0bb6f532238cb5b7db8846740fad0c616d4e0e4f2a89f6613f2f902cde3c19632b58287da223f97476679649b7978651d20e8ce363bd0e89ae893710674c78a6

Download Submit
memory/236-105-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/236-116-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/236-109-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/236-111-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/236-113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/236-114-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/236-118-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/236-107-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2296-0-0x000000002FC31000-0x000000002FC32000-memory.dmp

Filesize
4KB

Download
memory/2296-2-0x000000007147D000-0x0000000071488000-memory.dmp

Filesize
44KB

Download
memory/2296-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2296-96-0x000000007147D000-0x0000000071488000-memory.dmp

Filesize
44KB

Download
memory/2820-104-0x0000000005330000-0x00000000053BE000-memory.dmp

Filesize
568KB

Download
memory/2820-103-0x00000000002A0000-0x00000000002B2000-memory.dmp

Filesize
72KB

Download
memory/2820-94-0x0000000000E40000-0x0000000000F04000-memory.dmp

Filesize
784KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads