vipkeylogger | eb3dcc6f02b890aeaa2368161d863b645a4c115bb4385278f80335ffb6143041

Analysis

max time kernel
59s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
29-01-2025 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EFT Remittance Slip for Due Invoice.exe
Size

1.2MB
MD5

8c6ad00d939323abfb5ebef28bc8ca00
SHA1

b80b7621a8af48cd62361b938f8727d181661f2f
SHA256

eb3dcc6f02b890aeaa2368161d863b645a4c115bb4385278f80335ffb6143041
SHA512

2b3365e3c5d865502121fbae148158aef1d3a9ada2b9152d997c96bad5aa51247a7c1eea1dcea48c98ba09b547b0f58450e2c3e3c62ba80d15571a432d72fc04
SSDEEP

24576:KAHnh+eWsN3skA4RV1Hom2KXFmIaIcPGZV+2urmZ5XEo5:dh+ZkldoPK1XaIcPGmrC5f

Score

10^/10

vipkeylogger collection discovery evasion keylogger stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.norcalwholehousefans.com
Port:
587
Username:
[email protected]
Password:
Pythonk2024!@#$

Extracted

Family

vipkeylogger

Signatures

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	RegSvcs.exe

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nouses.vbs	nouses.exe

Executes dropped EXE 1 IoCs

pid	Process
2816	nouses.exe

Loads dropped DLL 1 IoCs

pid	Process
2124	EFT Remittance Slip for Due Invoice.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org
8	reallyfreegeoip.org
9	reallyfreegeoip.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0003000000018334-13.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2816 set thread context of 2720	2816	nouses.exe	30

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EFT Remittance Slip for Due Invoice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nouses.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2720	RegSvcs.exe
2720	RegSvcs.exe
2720	RegSvcs.exe
2720	RegSvcs.exe
2720	RegSvcs.exe
2720	RegSvcs.exe
2720	RegSvcs.exe
2720	RegSvcs.exe
2720	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2816	nouses.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2124	EFT Remittance Slip for Due Invoice.exe
2124	EFT Remittance Slip for Due Invoice.exe
2816	nouses.exe
2816	nouses.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2124	EFT Remittance Slip for Due Invoice.exe
2124	EFT Remittance Slip for Due Invoice.exe
2816	nouses.exe
2816	nouses.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2816	2124	EFT Remittance Slip for Due Invoice.exe	29
PID 2124 wrote to memory of 2816	2124	EFT Remittance Slip for Due Invoice.exe	29
PID 2124 wrote to memory of 2816	2124	EFT Remittance Slip for Due Invoice.exe	29
PID 2124 wrote to memory of 2816	2124	EFT Remittance Slip for Due Invoice.exe	29
PID 2816 wrote to memory of 2720	2816	nouses.exe	30
PID 2816 wrote to memory of 2720	2816	nouses.exe	30
PID 2816 wrote to memory of 2720	2816	nouses.exe	30
PID 2816 wrote to memory of 2720	2816	nouses.exe	30
PID 2816 wrote to memory of 2720	2816	nouses.exe	30
PID 2816 wrote to memory of 2720	2816	nouses.exe	30
PID 2816 wrote to memory of 2720	2816	nouses.exe	30
PID 2816 wrote to memory of 2720	2816	nouses.exe	30

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\EFT Remittance Slip for Due Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\EFT Remittance Slip for Due Invoice.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\directiveness\nouses.exe
  "C:\Users\Admin\AppData\Local\Temp\EFT Remittance Slip for Due Invoice.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\EFT Remittance Slip for Due Invoice.exe"
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\maneuverability

Filesize
56KB

MD5
a244c8146db80a29c4406636da8ad680

SHA1
309f1aa03b8f906b9538b2fa147d004824d456dd

SHA256
5800960034dc44149efdec18a2f7630ae85fd59ede70420586d2b834fc2adbb0

SHA512
d5a7ce6edfffe4923943a97bc90b3f5d66b06b1e0c874116c1f25cf4cbac6dcf298d648c53079cdf884111a3ddc6855fb47b2c6f948e47d736fc52e052ceaa88

Download Submit
\Users\Admin\AppData\Local\directiveness\nouses.exe

Filesize
1.2MB

MD5
8c6ad00d939323abfb5ebef28bc8ca00

SHA1
b80b7621a8af48cd62361b938f8727d181661f2f

SHA256
eb3dcc6f02b890aeaa2368161d863b645a4c115bb4385278f80335ffb6143041

SHA512
2b3365e3c5d865502121fbae148158aef1d3a9ada2b9152d997c96bad5aa51247a7c1eea1dcea48c98ba09b547b0f58450e2c3e3c62ba80d15571a432d72fc04

Download Submit
memory/2124-11-0x0000000000A00000-0x0000000000E00000-memory.dmp

Filesize
4.0MB

Download
memory/2720-33-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2720-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2720-35-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2720-37-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/2720-38-0x0000000000B60000-0x0000000000BC2000-memory.dmp

Filesize
392KB

Download
memory/2720-39-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2720-40-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2720-41-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/2720-42-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-73-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-79-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-77-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-75-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-71-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-70-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-67-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-65-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-63-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-61-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-60-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-57-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-55-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-53-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-51-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-49-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-85-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-47-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-45-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-43-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-101-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-99-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-98-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-95-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-93-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-91-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-89-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-87-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-83-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-81-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2720-1158-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2720-1159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2720-1160-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/2720-1161-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2720-1162-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2720-1163-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2816-31-0x0000000000F30000-0x0000000001330000-memory.dmp

Filesize
4.0MB

Download