vipkeylogger | aca3d8614954a35938653f8a26effa4f96952d8227222ca57dda6ab7cd607424

General

Target

[email protected]_SOA.docx
Size

459KB
MD5

d2d23ccc53607370c926fe786f92c75b
SHA1

8a84a9083d5b1e26fb9d0374efec7b259a3d059b
SHA256

aca3d8614954a35938653f8a26effa4f96952d8227222ca57dda6ab7cd607424
SHA512

2a38f263819d6350fdcc7e12345d68dbb6745eedef50ac261b488f73e534e0cc568c0d7dd909ca1bc438e436a9148aaf0f38f86792d8a92c174faef37e4396ca
SSDEEP

6144:hdlcbR5HastSFXbqUAbqUAbqUvyLE8IIIIIW0ru0rqme6eeCe9vCeXhdYp9tmYL2:zARtUVhpr/rqIXM9mrm9Bt2mhW8G0Yf

Score

10^/10

vipkeylogger collection discovery keylogger spyware stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.covid19support.top
Port:
587
Username:
[email protected]
Password:
7213575aceACE@@
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	960	EQNEDT32.EXE

Downloads MZ/PE file
Abuses OpenXML format to download file from external location

Executes dropped EXE 2 IoCs

pid	Process
1700	wealthcharliebgk.exe
808	wealthcharliebgk.exe

Loads dropped DLL 1 IoCs

pid	Process
960	EQNEDT32.EXE

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1700 set thread context of 808	1700	wealthcharliebgk.exe	33

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wealthcharliebgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wealthcharliebgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
960	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1940	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
808	wealthcharliebgk.exe
808	wealthcharliebgk.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	808	wealthcharliebgk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1940	WINWORD.EXE
1940	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1940	WINWORD.EXE
1940	WINWORD.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 1700	960	EQNEDT32.EXE	32
PID 960 wrote to memory of 1700	960	EQNEDT32.EXE	32
PID 960 wrote to memory of 1700	960	EQNEDT32.EXE	32
PID 960 wrote to memory of 1700	960	EQNEDT32.EXE	32
PID 1700 wrote to memory of 808	1700	wealthcharliebgk.exe	33
PID 1700 wrote to memory of 808	1700	wealthcharliebgk.exe	33
PID 1700 wrote to memory of 808	1700	wealthcharliebgk.exe	33
PID 1700 wrote to memory of 808	1700	wealthcharliebgk.exe	33
PID 1700 wrote to memory of 808	1700	wealthcharliebgk.exe	33
PID 1700 wrote to memory of 808	1700	wealthcharliebgk.exe	33
PID 1700 wrote to memory of 808	1700	wealthcharliebgk.exe	33
PID 1700 wrote to memory of 808	1700	wealthcharliebgk.exe	33
PID 1700 wrote to memory of 808	1700	wealthcharliebgk.exe	33

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\[email protected]_SOA.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1940

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe
  "C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe
    "C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Browser Information Discovery

1

T1217

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{40DBCF08-AA41-497D-A07B-7CE9781BB9BB}.FSD

Filesize
128KB

MD5
48ad8a7116bb3b403fcf08bd98ce33b6

SHA1
a16fc5eb3366179431d4f7810ed28b41f16b8be4

SHA256
99cddd66a6c24470ec3699fa838b0ee4042e49708c5eb967f62dec09d62b4d01

SHA512
1a5be61f94d33d5f286a40cc68255dca4225248cce4949da7f56f47fb72e31943fbd6cb2ea3fc8c8fb537ab516d7d165133f7fdfb9097db7244d7bb06e5ee1b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
57cd6de0afa6ce174a9502922954d122

SHA1
c156d9be9c5d61557281c1c6aa949ce57eeea008

SHA256
65851989dc6ef035d177cbcac0dfda07d16144813199e15004a94857fcd75d10

SHA512
234caabf148ae4231abc486fbf96631f0ca037ee86cf969380e27cba85d81c9bb74577af12b9d186d26637ded2d45f51b7d2fc01a933af90d023d1288b8bbf5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{9456FD06-DF6D-4D93-B2C3-CE274A566063}.FSD

Filesize
128KB

MD5
93b242d84d74de02641c262458382672

SHA1
df9c26e3022a84c16c29b450fd923cc975c369fa

SHA256
bdf8d7584c2e156b550c031527b79ed5eddf598b6d0c98ba9cb79bf9a01a53e1

SHA512
26f058ab309886abff946a5ae65a4b1d637637500fabceefeb6851e9deace69fe26464cd41098588ccf16be34f9fc0948f0943981c67750b70cce2b1b79178cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\Xkl0PnD8zFPjfh1[1].wiz

Filesize
408KB

MD5
f6e89e6c3ab17d8d58699ccefeaf3c8d

SHA1
86c245d0a2ef138aa7afca6bb43316e251b07c68

SHA256
32f5bf26d32b42212ada3e88017ad037c6c84f760a64585252576d893a00ff5f

SHA512
ab3a82dcd600c7169da373101593480a1ef8e82b2d339b5367f0e2b118f23ec3eb591a3e269de3f5d8b0e0843ec4574b33c5f98e0344c4be38a26c25caccb4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0EAB3B59-C5EE-4FF5-A7FB-EEFE90640F9E}

Filesize
128KB

MD5
ae25bdcfbe491f72a5cbbaabbb45fb03

SHA1
13bda9e85079263120c071c9fecdd9f8210ccdf0

SHA256
a9df6ba8c43a8f3b4a81f80f3776d2f661cbba4d9b3a47d15b4783970b1213a1

SHA512
943097c01a97c82d4cb3e24b2827aab33c0ab173ded050ab289506ebd5b848657320f7f163db38bdbbdfaa1fcd2ee36a186e811f9f737e62b0d018e859565c9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
444B

MD5
0a8729d707df8957f8c1adf7dcdbefe6

SHA1
0b9705b95203b9d554ded0ea0fb3986a4c2b15b5

SHA256
70389525a74a51e1e00498e95ed2f669cd19165d8ea904419d7b9f2f11ce55c7

SHA512
e4127598531d26b5e72274be366a56db48b42885c989991e30e10d6a5a6b92b083e18743f0aef2234a925fa761859211780018b95b2caf75354606de7f9dfe50

Download Submit
\Users\Admin\AppData\Roaming\wealthcharliebgk.exe

Filesize
737KB

MD5
78e5f0526a01f7a36cee6e5e2ccb1be0

SHA1
bb4aa50fa1369ad58cc851407f43b955c32011f0

SHA256
fc59d1ca77099951701944173f5d9daaf2434942a46503d0d9e0bd7e5262cfc6

SHA512
dc97bb70cc20476257795c1de3eda163def00c7b04cf30e09b441b3f03a3f77e7fcc70f943cde1b62174c7f2756862d5239ba5b6fd43f27a86813639df702ecd

Download Submit
memory/808-108-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/808-105-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/808-99-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/808-101-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/808-103-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/808-106-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/808-97-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/808-109-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1700-96-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/1700-95-0x0000000000D70000-0x0000000000DE8000-memory.dmp

Filesize
480KB

Download
memory/1700-94-0x0000000000F20000-0x0000000000FDE000-memory.dmp

Filesize
760KB

Download
memory/1940-0-0x000000002F891000-0x000000002F892000-memory.dmp

Filesize
4KB

Download
memory/1940-2-0x0000000070D0D000-0x0000000070D18000-memory.dmp

Filesize
44KB

Download
memory/1940-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1940-110-0x0000000070D0D000-0x0000000070D18000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing