vipkeylogger | 0ed95d416e4f9d22d078073c8e5f17d2717f30b07414845cd5b578412ea90514

General

Target

aca3d8614954a35938653f8a26effa4f96952d8227222ca57dda6ab7cd607424.docx
Size

459KB
MD5

d2d23ccc53607370c926fe786f92c75b
SHA1

8a84a9083d5b1e26fb9d0374efec7b259a3d059b
SHA256

aca3d8614954a35938653f8a26effa4f96952d8227222ca57dda6ab7cd607424
SHA512

2a38f263819d6350fdcc7e12345d68dbb6745eedef50ac261b488f73e534e0cc568c0d7dd909ca1bc438e436a9148aaf0f38f86792d8a92c174faef37e4396ca
SSDEEP

6144:hdlcbR5HastSFXbqUAbqUAbqUvyLE8IIIIIW0ru0rqme6eeCe9vCeXhdYp9tmYL2:zARtUVhpr/rqIXM9mrm9Bt2mhW8G0Yf

Score

10^/10

vipkeylogger collection discovery execution keylogger spyware stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.covid19support.top
Port:
587
Username:
[email protected]
Password:
7213575aceACE@@
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 2680 EQNEDT32.EXE
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2700 powershell.exe
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Executes dropped EXE 2 IoCs

Processes:

wealthcharliebgk.exewealthcharliebgk.exe

pid process

1560 wealthcharliebgk.exe
2088 wealthcharliebgk.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

2680 EQNEDT32.EXE
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

flow	pid	process
7	2680	EQNEDT32.EXE

pid	process
2700	powershell.exe

pid	process
1560	wealthcharliebgk.exe
2088	wealthcharliebgk.exe

pid	process
2680	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

wealthcharliebgk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 checkip.dyndns.org

flow	ioc
8	checkip.dyndns.org

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wealthcharliebgk.exe

description pid process target process

PID 1560 set thread context of 2088 1560 wealthcharliebgk.exe wealthcharliebgk.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 1560 set thread context of 2088	1560	wealthcharliebgk.exe	wealthcharliebgk.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

EQNEDT32.EXEwealthcharliebgk.exewealthcharliebgk.exepowershell.exeWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wealthcharliebgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wealthcharliebgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2680 EQNEDT32.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

304 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

wealthcharliebgk.exepowershell.exe

pid process

2088 wealthcharliebgk.exe
2700 powershell.exe
2088 wealthcharliebgk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wealthcharliebgk.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2088 wealthcharliebgk.exe
Token: SeDebugPrivilege 2700 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

304 WINWORD.EXE
304 WINWORD.EXE

pid	process
2680	EQNEDT32.EXE

pid	process
304	WINWORD.EXE

pid	process
2088	wealthcharliebgk.exe
2700	powershell.exe
2088	wealthcharliebgk.exe

description	pid	process
Token: SeDebugPrivilege	2088	wealthcharliebgk.exe
Token: SeDebugPrivilege	2700	powershell.exe

pid	process
304	WINWORD.EXE
304	WINWORD.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEwealthcharliebgk.exe

description	pid	process	target process
PID 2680 wrote to memory of 1560	2680	EQNEDT32.EXE	wealthcharliebgk.exe
PID 2680 wrote to memory of 1560	2680	EQNEDT32.EXE	wealthcharliebgk.exe
PID 2680 wrote to memory of 1560	2680	EQNEDT32.EXE	wealthcharliebgk.exe
PID 2680 wrote to memory of 1560	2680	EQNEDT32.EXE	wealthcharliebgk.exe
PID 304 wrote to memory of 1152	304	WINWORD.EXE	splwow64.exe
PID 304 wrote to memory of 1152	304	WINWORD.EXE	splwow64.exe
PID 304 wrote to memory of 1152	304	WINWORD.EXE	splwow64.exe
PID 304 wrote to memory of 1152	304	WINWORD.EXE	splwow64.exe
PID 1560 wrote to memory of 2700	1560	wealthcharliebgk.exe	powershell.exe
PID 1560 wrote to memory of 2700	1560	wealthcharliebgk.exe	powershell.exe
PID 1560 wrote to memory of 2700	1560	wealthcharliebgk.exe	powershell.exe
PID 1560 wrote to memory of 2700	1560	wealthcharliebgk.exe	powershell.exe
PID 1560 wrote to memory of 2088	1560	wealthcharliebgk.exe	wealthcharliebgk.exe
PID 1560 wrote to memory of 2088	1560	wealthcharliebgk.exe	wealthcharliebgk.exe
PID 1560 wrote to memory of 2088	1560	wealthcharliebgk.exe	wealthcharliebgk.exe
PID 1560 wrote to memory of 2088	1560	wealthcharliebgk.exe	wealthcharliebgk.exe
PID 1560 wrote to memory of 2088	1560	wealthcharliebgk.exe	wealthcharliebgk.exe
PID 1560 wrote to memory of 2088	1560	wealthcharliebgk.exe	wealthcharliebgk.exe
PID 1560 wrote to memory of 2088	1560	wealthcharliebgk.exe	wealthcharliebgk.exe
PID 1560 wrote to memory of 2088	1560	wealthcharliebgk.exe	wealthcharliebgk.exe
PID 1560 wrote to memory of 2088	1560	wealthcharliebgk.exe	wealthcharliebgk.exe

outlook_office_path 1 IoCs

Processes:

wealthcharliebgk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe

outlook_win_path 1 IoCs

Processes:

wealthcharliebgk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\aca3d8614954a35938653f8a26effa4f96952d8227222ca57dda6ab7cd607424.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:304
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1152

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe
  "C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- - C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe
    "C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Browser Information Discovery

1

T1217

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{B43CF14A-CB58-461E-AFAE-8078F6E38E75}.FSD

Filesize
128KB

MD5
7439f8329691f3688d7e4aeeab567b21

SHA1
f34304ede065af74f7faa6cc9e18c5262fe90634

SHA256
4115efe8b78dfe56a80497492dffcb7ebca9c8e7eb627d54bfc37b1a3e07843d

SHA512
463d5971430631520c9131d8c5cf82dcedb79c00ac635df571f02519152a10c97ff056be0de6c2035745cf73ecf04307f0bb47a5f04120f7bde39887238f62d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
419606b80d97034c50f8b9cb6c602efe

SHA1
1ec867ecc7a04057e07a22efcf70dc50a6710ae7

SHA256
8f9f99d8d8b6422a068dbe23ac3e0bbe369b1c7a5cdfe71c08b2074d0c2f8cf4

SHA512
491ffed70efc225ac3034a746282588c0f1e6be00da81ce3cb9afeb8dd5e9df35d553678f8ec2d8aa5ce056069567dfc53b6bcd113ae1b9964051a43d3e0b8cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{8E516895-3E8C-4B91-A134-FAD4EB37C72D}.FSD

Filesize
128KB

MD5
8223fbc711316f2a1fb0bbdcf99995a3

SHA1
cd20487b57c9e1f0cb72e6f296a7e66e520d30ed

SHA256
44de6f23cd4fd8f697a70b84e1779a4f07fb7233e025eb965fe2ef64645aa78b

SHA512
a45db8cbffbe6941f63cf8e3d81eb006ba135fb6bcadd0a62b492e25606ef61c66c63adf377f77e11b53f55f43214b0810fc11c9a0970a05641c6d7d30dc47cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40WV1DY9\Xkl0PnD8zFPjfh1[1].wiz

Filesize
408KB

MD5
f6e89e6c3ab17d8d58699ccefeaf3c8d

SHA1
86c245d0a2ef138aa7afca6bb43316e251b07c68

SHA256
32f5bf26d32b42212ada3e88017ad037c6c84f760a64585252576d893a00ff5f

SHA512
ab3a82dcd600c7169da373101593480a1ef8e82b2d339b5367f0e2b118f23ec3eb591a3e269de3f5d8b0e0843ec4574b33c5f98e0344c4be38a26c25caccb4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7ECAFB0D-33B3-4C9C-9F67-C692A9155560}

Filesize
128KB

MD5
63453daeab27dc724ba53baa6257d44a

SHA1
2f70492fda72590a369b7b499d1ca900a5927f48

SHA256
fefaf2e1fbf3561d7b8ace5bca3e8ad94ecc4999d8f514cde92514bb579d61af

SHA512
526f5c2b0733a8b574131631e3663d220c4c3b9da655f5cf793eda2c6f2b6d9c838b55a43be4400e0eb82a6ed41bf2670ac21186d5e5100ce47dc40dd8065430

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Roaming\wealthcharliebgk.exe

Filesize
768KB

MD5
ccc582f44adb0a736c9fbbfa9f20f325

SHA1
51aac7cd475ae0115f43d5069213300d6f66672c

SHA256
8278e7661e290287dbdba63e2d2c2add86c2f64da32dfb137aee4597cab76508

SHA512
0bb6f532238cb5b7db8846740fad0c616d4e0e4f2a89f6613f2f902cde3c19632b58287da223f97476679649b7978651d20e8ce363bd0e89ae893710674c78a6

Download Submit
memory/304-95-0x0000000073C4D000-0x0000000073C58000-memory.dmp

Filesize
44KB

Download
memory/304-2-0x0000000073C4D000-0x0000000073C58000-memory.dmp

Filesize
44KB

Download
memory/304-0-0x000000002F091000-0x000000002F092000-memory.dmp

Filesize
4KB

Download
memory/304-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1560-94-0x0000000001390000-0x0000000001454000-memory.dmp

Filesize
784KB

Download
memory/1560-103-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/1560-104-0x0000000005100000-0x000000000518E000-memory.dmp

Filesize
568KB

Download
memory/2088-105-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2088-107-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2088-116-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2088-118-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2088-114-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2088-113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2088-111-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2088-109-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads