vipkeylogger | f65d5f51c5b69891d73c3799b4ed4d53fea665a6ef5b3d0cce8cae1e96c0e785

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

image.exe
Size

2.0MB
MD5

4f481037138109f314141b4fede21f87
SHA1

e28504f330d3d8586d36e3ff270fdfc0821e0cc2
SHA256

f65d5f51c5b69891d73c3799b4ed4d53fea665a6ef5b3d0cce8cae1e96c0e785
SHA512

4e30ba43e8c8f5bb4810c4ac7a8f6bdfdd40c8a6b0de97b0f114ac1f6d326493befa8621941b178ece263da16f5081f93b6fb09a030670df54658f42cd866ec4
SSDEEP

49152:gdqswGco/j1HEFW1bB9HI8QrwiycY5vtxqpGAGco/j1HEFW1bB9HI8QrwiycY5vu:g8swjWdbwjWdb

Score

10^/10

vipkeylogger collection discovery keylogger persistence spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.techniqueqatar.com
Port:
587
Username:
[email protected]
Password:
TechFB2023$$$

Extracted

Family

vipkeylogger

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Executes dropped EXE 1 IoCs

pid	Process
3956	nhpoymuP.pif

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nhpoymuP.pif
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nhpoymuP.pif
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nhpoymuP.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pumyophn = "C:\\Users\\Public\\Pumyophn.url"	image.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	checkip.dyndns.org
45	reallyfreegeoip.org
46	reallyfreegeoip.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4016 set thread context of 3956	4016	image.exe	100

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	image.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nhpoymuP.pif

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3956	nhpoymuP.pif
3956	nhpoymuP.pif
3956	nhpoymuP.pif

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3956	nhpoymuP.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3956	nhpoymuP.pif

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 2640	4016	image.exe	90
PID 4016 wrote to memory of 2640	4016	image.exe	90
PID 4016 wrote to memory of 2640	4016	image.exe	90
PID 4016 wrote to memory of 3956	4016	image.exe	100
PID 4016 wrote to memory of 3956	4016	image.exe	100
PID 4016 wrote to memory of 3956	4016	image.exe	100
PID 4016 wrote to memory of 3956	4016	image.exe	100
PID 4016 wrote to memory of 3956	4016	image.exe	100

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nhpoymuP.pif

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nhpoymuP.pif

C:\Users\Admin\AppData\Local\Temp\image.exe
"C:\Users\Admin\AppData\Local\Temp\image.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2640
- C:\Users\Public\Libraries\nhpoymuP.pif
  C:\Users\Public\Libraries\nhpoymuP.pif
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\FX.cmd

Filesize
8KB

MD5
60cd0be570decd49e4798554639a05ae

SHA1
bd7bed69d9ab9a20b5263d74921c453f38477bcb

SHA256
ca6a6c849496453990beceef8c192d90908c0c615fa0a1d01bcd464bad6966a5

SHA512
ab3dbdb4ed95a0cb4072b23dd241149f48ecff8a69f16d81648e825d9d81a55954e5dd9bc46d3d7408421df30c901b9ad1385d1e70793fa8d715c86c9e800c57

Download Submit
C:\Users\Public\Libraries\nhpoymuP.pif

Filesize
171KB

MD5
22331abcc9472cc9dc6f37faf333aa2c

SHA1
2a001c30ba79a19ceaf6a09c3567c70311760aa4

SHA256
bdfa725ec2a2c8ea5861d9b4c2f608e631a183fca7916c1e07a28b656cc8ec0c

SHA512
c7f5baad732424b975a426867d3d8b5424aa830aa172ed0ff0ef630070bf2b4213750e123a36d8c5a741e22d3999ca1d7e77c62d4b77d6295b20a38114b7843c

Download Submit
memory/3956-601-0x0000000024C40000-0x0000000024CA0000-memory.dmp

Filesize
384KB

Download
memory/3956-604-0x0000000027850000-0x00000000278AC000-memory.dmp

Filesize
368KB

Download
memory/3956-603-0x0000000027260000-0x0000000027804000-memory.dmp

Filesize
5.6MB

Download
memory/3956-1706-0x0000000029480000-0x000000002948A000-memory.dmp

Filesize
40KB

Download
memory/3956-1705-0x0000000028FE0000-0x0000000029072000-memory.dmp

Filesize
584KB

Download
memory/3956-1703-0x0000000028A50000-0x0000000028F7C000-memory.dmp

Filesize
5.2MB

Download
memory/3956-1702-0x0000000028960000-0x00000000289B0000-memory.dmp

Filesize
320KB

Download
memory/3956-1701-0x0000000028760000-0x0000000028922000-memory.dmp

Filesize
1.8MB

Download
memory/3956-1699-0x00000000278B0000-0x000000002794C000-memory.dmp

Filesize
624KB

Download
memory/4016-60-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-47-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-17-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-16-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-13-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-12-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-11-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-10-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-8-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-7-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-19-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-15-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-3-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-9-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-6-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-5-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-2-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-26-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-27-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-50-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-58-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-62-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-61-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-21-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-59-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-44-0x0000000002F80000-0x0000000003F80000-memory.dmp

Filesize
16.0MB

Download
memory/4016-51-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-49-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-48-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-18-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-46-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-45-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-43-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-41-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-40-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-39-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-38-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-37-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-36-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-34-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-33-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-32-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-31-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-30-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-29-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-25-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-42-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-35-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-28-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-22-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-20-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-14-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-4-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-1-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-0-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/4016-24-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-23-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-64-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-63-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4016-174-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download