vipkeylogger | 0ed95d416e4f9d22d078073c8e5f17d2717f30b07414845cd5b578412ea90514

General

Target

aca3d8614954a35938653f8a26effa4f96952d8227222ca57dda6ab7cd607424.docx
Size

459KB
MD5

d2d23ccc53607370c926fe786f92c75b
SHA1

8a84a9083d5b1e26fb9d0374efec7b259a3d059b
SHA256

aca3d8614954a35938653f8a26effa4f96952d8227222ca57dda6ab7cd607424
SHA512

2a38f263819d6350fdcc7e12345d68dbb6745eedef50ac261b488f73e534e0cc568c0d7dd909ca1bc438e436a9148aaf0f38f86792d8a92c174faef37e4396ca
SSDEEP

6144:hdlcbR5HastSFXbqUAbqUAbqUvyLE8IIIIIW0ru0rqme6eeCe9vCeXhdYp9tmYL2:zARtUVhpr/rqIXM9mrm9Bt2mhW8G0Yf

Score

10^/10

vipkeylogger collection discovery execution keylogger spyware stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.covid19support.top
Port:
587
Username:
[email protected]
Password:
7213575aceACE@@
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

8 2284 EQNEDT32.EXE
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1696 powershell.exe
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Executes dropped EXE 2 IoCs

Processes:

wealthcharliebgk.exewealthcharliebgk.exe

pid process

308 wealthcharliebgk.exe
1588 wealthcharliebgk.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

2284 EQNEDT32.EXE
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

flow	pid	process
8	2284	EQNEDT32.EXE

pid	process
1696	powershell.exe

pid	process
308	wealthcharliebgk.exe
1588	wealthcharliebgk.exe

pid	process
2284	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

wealthcharliebgk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 checkip.dyndns.org

flow	ioc
9	checkip.dyndns.org

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wealthcharliebgk.exe

description pid process target process

PID 308 set thread context of 1588 308 wealthcharliebgk.exe wealthcharliebgk.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 308 set thread context of 1588	308	wealthcharliebgk.exe	wealthcharliebgk.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

wealthcharliebgk.exewealthcharliebgk.exepowershell.exeWINWORD.EXEEQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wealthcharliebgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wealthcharliebgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE

Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2284 EQNEDT32.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2860 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

wealthcharliebgk.exepowershell.exe

pid process

1588 wealthcharliebgk.exe
1696 powershell.exe
1588 wealthcharliebgk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wealthcharliebgk.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1588 wealthcharliebgk.exe
Token: SeDebugPrivilege 1696 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2860 WINWORD.EXE
2860 WINWORD.EXE

pid	process
2284	EQNEDT32.EXE

pid	process
2860	WINWORD.EXE

pid	process
1588	wealthcharliebgk.exe
1696	powershell.exe
1588	wealthcharliebgk.exe

description	pid	process
Token: SeDebugPrivilege	1588	wealthcharliebgk.exe
Token: SeDebugPrivilege	1696	powershell.exe

pid	process
2860	WINWORD.EXE
2860	WINWORD.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEwealthcharliebgk.exe

description	pid	process	target process
PID 2284 wrote to memory of 308	2284	EQNEDT32.EXE	wealthcharliebgk.exe
PID 2284 wrote to memory of 308	2284	EQNEDT32.EXE	wealthcharliebgk.exe
PID 2284 wrote to memory of 308	2284	EQNEDT32.EXE	wealthcharliebgk.exe
PID 2284 wrote to memory of 308	2284	EQNEDT32.EXE	wealthcharliebgk.exe
PID 2860 wrote to memory of 1392	2860	WINWORD.EXE	splwow64.exe
PID 2860 wrote to memory of 1392	2860	WINWORD.EXE	splwow64.exe
PID 2860 wrote to memory of 1392	2860	WINWORD.EXE	splwow64.exe
PID 2860 wrote to memory of 1392	2860	WINWORD.EXE	splwow64.exe
PID 308 wrote to memory of 1696	308	wealthcharliebgk.exe	powershell.exe
PID 308 wrote to memory of 1696	308	wealthcharliebgk.exe	powershell.exe
PID 308 wrote to memory of 1696	308	wealthcharliebgk.exe	powershell.exe
PID 308 wrote to memory of 1696	308	wealthcharliebgk.exe	powershell.exe
PID 308 wrote to memory of 1588	308	wealthcharliebgk.exe	wealthcharliebgk.exe
PID 308 wrote to memory of 1588	308	wealthcharliebgk.exe	wealthcharliebgk.exe
PID 308 wrote to memory of 1588	308	wealthcharliebgk.exe	wealthcharliebgk.exe
PID 308 wrote to memory of 1588	308	wealthcharliebgk.exe	wealthcharliebgk.exe
PID 308 wrote to memory of 1588	308	wealthcharliebgk.exe	wealthcharliebgk.exe
PID 308 wrote to memory of 1588	308	wealthcharliebgk.exe	wealthcharliebgk.exe
PID 308 wrote to memory of 1588	308	wealthcharliebgk.exe	wealthcharliebgk.exe
PID 308 wrote to memory of 1588	308	wealthcharliebgk.exe	wealthcharliebgk.exe
PID 308 wrote to memory of 1588	308	wealthcharliebgk.exe	wealthcharliebgk.exe

outlook_office_path 1 IoCs

Processes:

wealthcharliebgk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe

outlook_win_path 1 IoCs

Processes:

wealthcharliebgk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\aca3d8614954a35938653f8a26effa4f96952d8227222ca57dda6ab7cd607424.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1392

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe
  "C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:308
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- - C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe
    "C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Browser Information Discovery

1

T1217

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{1DD84451-3458-4E70-99E7-99A658A033A8}.FSD

Filesize
128KB

MD5
fb048c247cb1449863b28b350e34f275

SHA1
b052852af7475d8f34e0d2aa6c42279f426e7da4

SHA256
219d6c8af4cbfaf441288c240df2d8154c03218f378ca884d08e6f1da9990c3b

SHA512
2f43052668199a485cc7b43c01be00765714008b99d2a9684e6a674ca5d8ac8c4afe870ec1b794f1c741e7f3906708add0888a6c2e8fae7354e486fe1160e9bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
856b676e0f421eaf081a361cdc8b0d7e

SHA1
3809254a4811d7fe15b266fc5e2e9f652941d934

SHA256
fd46109532147fd3279d5568a712eb1bb46614cd44c645d05ca48af4c816427b

SHA512
6eda3f5528fe9b6e0f7fe4a3cb9cd95a2c432cebed69a8f46efbe4a35b6307382e53f01cc27f01c7fb61b61ba300d0c5735e8e5bd62bcc0620c8d63abaa02866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{0711ABB6-FB81-4B34-8A53-352CF87D2B01}.FSD

Filesize
128KB

MD5
27ee770bc121d5b248458c70b590b91e

SHA1
1f5bd60dca2c109879341bf7a23dd8601a92dfae

SHA256
e4b907995d5b994cd7b3fc2a7139dd584631835d2423eb04b9b3abef8c0fa8ba

SHA512
8a2b72350d963bbbe713114f73f175d2712dca9136a05ec39f861202fef4cd49f6b65b467cf5414007265f33516d10c4c0bf8b1c60ab7f1e7df66c8c28a94542

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\Xkl0PnD8zFPjfh1[1].wiz

Filesize
408KB

MD5
f6e89e6c3ab17d8d58699ccefeaf3c8d

SHA1
86c245d0a2ef138aa7afca6bb43316e251b07c68

SHA256
32f5bf26d32b42212ada3e88017ad037c6c84f760a64585252576d893a00ff5f

SHA512
ab3a82dcd600c7169da373101593480a1ef8e82b2d339b5367f0e2b118f23ec3eb591a3e269de3f5d8b0e0843ec4574b33c5f98e0344c4be38a26c25caccb4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{ADF19EBB-6FDA-4D9D-93CC-9A77DECBEEF0}

Filesize
128KB

MD5
280c6ce7db100a5fd2df1c20ee458302

SHA1
c0e3e4c4148b30bc428250e9bf1cdea890a9f1e1

SHA256
23710ab6c90d433dfaf49b57c691005e7bcfe2060f0d3489ed40199e75f636d8

SHA512
2880be9cddaa17c15c01038657472939399a342d392466c4c4170143bac404ba13c03ca6dc4a4873bfc5702efb9427d001c99786ec37f61365d4e30e94169b79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
442B

MD5
9e9de9071da0725676cc17ec557998b7

SHA1
82fc660bfa65b29c96a7ae27326b962b62285314

SHA256
38d5196df776ee826892d52d6f7367608e610f1ad12fa881c7a56942a17e280b

SHA512
4d8a806225c348c1cec1defb58e9d56f26e7fc1c061c3d2c230c7921071b1911482213fd230ddb4114cde590acb54e25db447d2e7f232df766254bda87768560

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe

Filesize
768KB

MD5
ccc582f44adb0a736c9fbbfa9f20f325

SHA1
51aac7cd475ae0115f43d5069213300d6f66672c

SHA256
8278e7661e290287dbdba63e2d2c2add86c2f64da32dfb137aee4597cab76508

SHA512
0bb6f532238cb5b7db8846740fad0c616d4e0e4f2a89f6613f2f902cde3c19632b58287da223f97476679649b7978651d20e8ce363bd0e89ae893710674c78a6

Download Submit
memory/308-94-0x0000000001390000-0x0000000001454000-memory.dmp

Filesize
784KB

Download
memory/308-103-0x0000000000220000-0x0000000000232000-memory.dmp

Filesize
72KB

Download
memory/308-104-0x0000000005340000-0x00000000053CE000-memory.dmp

Filesize
568KB

Download
memory/1588-114-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1588-105-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1588-117-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1588-116-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1588-113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1588-111-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1588-109-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1588-107-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2860-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2860-96-0x000000007189D000-0x00000000718A8000-memory.dmp

Filesize
44KB

Download
memory/2860-0-0x000000002FB01000-0x000000002FB02000-memory.dmp

Filesize
4KB

Download
memory/2860-2-0x000000007189D000-0x00000000718A8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads