vipkeylogger | bba1825bd893328442cb891a35420a5da41a5431d1ade643f085c5992e763d3a

General

Target

RequestforQuotationMKFMHS.RFQ.24.11.21.bat.exe
Size

994KB
MD5

1ae7a890014eba9c807c6adeabac7671
SHA1

e3b92645849a3e064d9fc401badf115dab013839
SHA256

bba1825bd893328442cb891a35420a5da41a5431d1ade643f085c5992e763d3a
SHA512

3a54469caeb4052cb4b842b30292e5ae00c9bf2a29f0d293d975d7bd0283d657c2fb4c9fd0df0797782eda78474a9eab5f8fa6d1ff66ceaf59f00e128fbab2d7
SSDEEP

24576:Yij0gzjizxWgioJqE9p9jzOtXGnwaEalbcHNGtAlUDRL:1zjkW2H9p9PmXMOHNzUDB

Score

10^/10

vipkeylogger discovery execution keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.catanhoinvestments.com
Port:
587
Username:
[email protected]
Password:
RPgi34L1yoc
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2732	powershell.exe
2244	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RequestforQuotationMKFMHS.RFQ.24.11.21.bat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2424	RequestforQuotationMKFMHS.RFQ.24.11.21.bat.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	RequestforQuotationMKFMHS.RFQ.24.11.21.bat.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2244	2424	RequestforQuotationMKFMHS.RFQ.24.11.21.bat.exe	31
PID 2424 wrote to memory of 2244	2424	RequestforQuotationMKFMHS.RFQ.24.11.21.bat.exe	31
PID 2424 wrote to memory of 2244	2424	RequestforQuotationMKFMHS.RFQ.24.11.21.bat.exe	31
PID 2424 wrote to memory of 2244	2424	RequestforQuotationMKFMHS.RFQ.24.11.21.bat.exe	31

C:\Users\Admin\AppData\Local\Temp\RequestforQuotationMKFMHS.RFQ.24.11.21.bat.exe
"C:\Users\Admin\AppData\Local\Temp\RequestforQuotationMKFMHS.RFQ.24.11.21.bat.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RequestforQuotationMKFMHS.RFQ.24.11.21.bat.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  PID:2244
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NuDUTBObHpKADz.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2732
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuDUTBObHpKADz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1056.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\RequestforQuotationMKFMHS.RFQ.24.11.21.bat.exe
  "C:\Users\Admin\AppData\Local\Temp\RequestforQuotationMKFMHS.RFQ.24.11.21.bat.exe"
  2⤵
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1056.tmp

Filesize
1KB

MD5
9806e424ed364823a48166ca165cdbe6

SHA1
1ea2c98cff6da8b3215f4854c3074b459d38999f

SHA256
cb54066880a92c33c2ecd1feca2567333491c4471bb717ff4899cdcc0d70e359

SHA512
1735deb80ab43c85ac057533c99cf8f4d111834cff550fd65a458b535cc2a567863bda228bdc6f2eea4d405e462dfc65c7d634f004fb53eea5651ef858f4539f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QH0SS08II0L24NV9PR13.temp

Filesize
7KB

MD5
a4947f6420242d706da1d9050da7101f

SHA1
1b95e1b5dd491b6c70c2d915ba2958c7ffb9e4cb

SHA256
adc6ea1fb3f55e1ea1657409c1298658bbcaecbb3e7a4adc448be485d9723cbf

SHA512
1d20a6b01801fe118dd09838b0fd893c5c0b2b15a7c216489c34a84913afbd5e0ebca401a4031ce957ee78a38492a76d4f8b6956ec97a2813fee55cda5b98142

Download Submit
memory/2424-31-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/2424-3-0x0000000000270000-0x0000000000282000-memory.dmp

Filesize
72KB

Download
memory/2424-4-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/2424-5-0x0000000005410000-0x000000000549E000-memory.dmp

Filesize
568KB

Download
memory/2424-2-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/2424-1-0x0000000000940000-0x0000000000A3E000-memory.dmp

Filesize
1016KB

Download
memory/2424-0-0x0000000073F1E000-0x0000000073F1F000-memory.dmp

Filesize
4KB

Download
memory/2856-27-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2856-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2856-30-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2856-24-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2856-22-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2856-20-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2856-19-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2856-28-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads