Analysis
-
max time kernel
125s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
29-01-2025 14:27
General
-
Target
Payment Error.docx
-
Size
179KB
-
MD5
3d1c1d2836460cf9b648fafe778afc7c
-
SHA1
a6db7abf6061052b8fad3112a8d5570cd658f773
-
SHA256
b1e95a02dacd02c5821a7cff619f919623f222b85f27f5c60470f06f7b5eac85
-
SHA512
d1fbfa64020f97b6d1151559efdd9a47bcb32a58220763d0c25eef8b186110c48ddceb573ebdf678254163fcc8567c4ede18ac6c7d90d4e6ed04cbf06b42b25c
-
SSDEEP
3072:QiY5rj1ATug+mhTZMxjcFQ9csn4qAzYjDp/shKuikycBSRjR/Vx7XUgpxD:K5r/g+qZMpcFSQzYHut4dFrD
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.jhxkgroup.online - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@ - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file 1 IoCs
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Payment Error.docx"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\chromeobis.exe"C:\Users\Admin\AppData\Roaming\chromeobis.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\chromeobis.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\chromeobis.exe"C:\Users\Admin\AppData\Roaming\chromeobis.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\chromeobis.exe"C:\Users\Admin\AppData\Roaming\chromeobis.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\chromeobis.exe"C:\Users\Admin\AppData\Roaming\chromeobis.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c9be626e9715952e9b70f92f912b9787
SHA1aa2e946d9ad9027172d0d321917942b7562d6abe
SHA256c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4
SHA5127581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
Filesize
174B
MD5e853eab590c9255a2cdebd02219fce5f
SHA1bb55ba915381d842b119f296048e8145d59b55c2
SHA2560685c7243c6e009752391173bb7283d648f867ca52fa7ea12a545712a4c8ee72
SHA5126e3b070cfd24233269c4180e47de5ad318dc89ec00ffd57fd783238b6f0d57c79610a04ac5d9700e1a12262158c1ca04141559226b79dd3dbe1832250544ddee
-
Filesize
342B
MD5513686ec12bce5f892edaf3abeecbc04
SHA1b3ea44ac8631c6402bd4de4b74c813f485621556
SHA2566f1d649bd86301f7385c3091ea6a8e18dd0ce380e0a009b82fba0060784cb239
SHA512aa622cd9b9a03b91d8e457858229d41c319a46b7abe04bd2d789080a7caddaaa704ac364ef77e9ebcb5de3b92a206630c331c59a71e2aa9ed0a8674af8708d1a
-
Filesize
170B
MD58fa243c902c5a3bcecb0cdb00c4b6ade
SHA1f9b914f21c38975b2edb8a581f6351ddfcf8af7c
SHA256084e39a25837b9d8bdd143432417661d7774aee998d182141cd380d16e4b0c90
SHA5123aa30f2a1479586ea2bf9432b143431d97043bd20029500be28590e0a9cc57b099fd13d663fc9134b960f2f30c19d7e0eb8e5dcbcf448c68dd6b226f629151ce
-
Filesize
128KB
MD5d6e455da17c1b7e26307979c7c4e9b8c
SHA1cbfac197dba16622b18a8118fbd4a71a345b8dc1
SHA256fce593eb4f7fd6102759e01006752015650efb547cf4b446b8a4c28dc1192242
SHA512da950f0c2308cf720a5bfef70f22cf3a6b0e4eed2941157f627582e3727eaf42ebe573e633bf640578f8f03def9caeb2972134e3ba04416324f3be81c5c0ebc2
-
Filesize
128KB
MD504480b9463f62164b628f9bfd9877a63
SHA180232597930ddeca7816227e55538b15f83fecb9
SHA2564f7e3d7cfb200f1933943da307d60dde9a392449c169946135350af564d025f4
SHA51202fd8590495d8370d35359ebb53bbbdc2bfa28b089ab3f228f1e35d4015d37a47cc5592b6b1f12e4580ec61747923cd297667aa95f0153e1a6ac5d865169a3e3
-
Filesize
128KB
MD5c69aba5b8ae52fdf8edbb1efd8bc8432
SHA15e07562765f29fed14032bdae2a3bf50b1fe251b
SHA256aee82b40334491838a327e033684012e279c7c136f64ffeaa04a224ea227912d
SHA51241f64309b2e4a54b4585403ec052bb60ac50f1065d96db5176c93dc53ca86be4a4a7aa9c88d00549cacca52f2d03beae2e76e439033ea4a022fe9437f31c37ba
-
Filesize
469KB
MD50dbe0f99c69a2dbd0ec15c5199d73762
SHA14da131dcff2a5fd63eddf9b1742bd49b1fe08802
SHA256f66ddd8a7bd34537428e518c38601da74769f6adf9ec7f671dd0195e2499d37a
SHA512b04d315b61f13791af612ca58f6cd93b6fde0989bf9697d6cfa5491e841327acaf795fff45f60a9f860e8c4ebf8066ffe2242c4f0f5da20b6f96c193c82dd0c3
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
128KB
MD5fa4f6d29136cc717684d5a8a05153a25
SHA1a351b6a5b859fce63854dadd96f89f008c5b29e5
SHA256a9e8ab0ec92d09499f44294ad3e3e315175b0cabeecc32269ccbc3b4b943de7d
SHA5124f6ff510cabe5ce1f506ac48b3ef04ab3c6749584a20493cf677b9e9ca33e886beb8c7006954eaf309f3af1248ba8d81a7c5ff5d536dacdd75a09245c9f682e9
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
1.1MB
MD52b625e3065e5af534b2a581772c1db95
SHA129474b68dd53b9e155ff8dff3c797244f6e0ccb1
SHA256f94d943733952bb42137de39559664a1978d0e72fc481426dfc037f7f967df8f
SHA51242fd955ee89a6ca93162122416d51068725bb389ecf3cba8e90aa2973a69d4591584defb2f7081a173853b38ac4b090606256cb06123421db2e031f0557fb5ba
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
4KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
120KB
-
Filesize
568KB
-
Filesize
1.2MB