vipkeylogger | 06ffd5cfe0c7895062e69385f6393c13022499342f4c80582561913583f850a0

General

Target

06ffd5cfe0c7895062e69385f6393c13022499342f4c80582561913583f850a0.rtf
Size

628KB
MD5

a51f9396d4804b48af9e79902e32580f
SHA1

1f9f9209145556c22bfa74f8a3654aceb81b8ad9
SHA256

06ffd5cfe0c7895062e69385f6393c13022499342f4c80582561913583f850a0
SHA512

7016a546d4a3a1804a3d6e54887d0eee311b87f14e7b7d466d91c4785e877859c3d8d32b2324bc690b117f19319243bf1ea4946885ee6768dca78584effe8c75
SSDEEP

6144:UwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAl:nRQ

Score

10^/10

vipkeylogger discovery execution keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.gtpv.online
Port:
587
Username:
[email protected]
Password:
7213575aceACE@@
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2528	EQNEDT32.EXE
7	2528	EQNEDT32.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
592	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
5	2528	EQNEDT32.EXE

Executes dropped EXE 2 IoCs

pid	Process
2984	chromeendy.exe
1716	chromeendy.exe

Loads dropped DLL 6 IoCs

pid	Process
2528	EQNEDT32.EXE
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	checkip.dyndns.org

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2984 set thread context of 1716	2984	chromeendy.exe	37

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1776	1716	WerFault.exe	37

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chromeendy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chromeendy.exe

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2528	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1984	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1716	chromeendy.exe
592	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1716	chromeendy.exe
Token: SeDebugPrivilege	592	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1984	WINWORD.EXE
1984	WINWORD.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2984	2528	EQNEDT32.EXE	32
PID 2528 wrote to memory of 2984	2528	EQNEDT32.EXE	32
PID 2528 wrote to memory of 2984	2528	EQNEDT32.EXE	32
PID 2528 wrote to memory of 2984	2528	EQNEDT32.EXE	32
PID 1984 wrote to memory of 476	1984	WINWORD.EXE	35
PID 1984 wrote to memory of 476	1984	WINWORD.EXE	35
PID 1984 wrote to memory of 476	1984	WINWORD.EXE	35
PID 1984 wrote to memory of 476	1984	WINWORD.EXE	35
PID 2984 wrote to memory of 592	2984	chromeendy.exe	36
PID 2984 wrote to memory of 592	2984	chromeendy.exe	36
PID 2984 wrote to memory of 592	2984	chromeendy.exe	36
PID 2984 wrote to memory of 592	2984	chromeendy.exe	36
PID 2984 wrote to memory of 1716	2984	chromeendy.exe	37
PID 2984 wrote to memory of 1716	2984	chromeendy.exe	37
PID 2984 wrote to memory of 1716	2984	chromeendy.exe	37
PID 2984 wrote to memory of 1716	2984	chromeendy.exe	37
PID 2984 wrote to memory of 1716	2984	chromeendy.exe	37
PID 2984 wrote to memory of 1716	2984	chromeendy.exe	37
PID 2984 wrote to memory of 1716	2984	chromeendy.exe	37
PID 2984 wrote to memory of 1716	2984	chromeendy.exe	37
PID 2984 wrote to memory of 1716	2984	chromeendy.exe	37
PID 1716 wrote to memory of 1776	1716	chromeendy.exe	39
PID 1716 wrote to memory of 1776	1716	chromeendy.exe	39
PID 1716 wrote to memory of 1776	1716	chromeendy.exe	39
PID 1716 wrote to memory of 1776	1716	chromeendy.exe	39

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\06ffd5cfe0c7895062e69385f6393c13022499342f4c80582561913583f850a0.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:476

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Roaming\chromeendy.exe
  "C:\Users\Admin\AppData\Roaming\chromeendy.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\chromeendy.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:592
- - C:\Users\Admin\AppData\Roaming\chromeendy.exe
    "C:\Users\Admin\AppData\Roaming\chromeendy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1000
      4⤵
      Loads dropped DLL
      Program crash
      PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\chromeendy.exe

Filesize
1.1MB

MD5
e2bfaca136923b4e21f5ec3c94fa5add

SHA1
4e4705871e548966fc2c842e0e05b949fac3b77f

SHA256
286372582689c270359b64708765ec150af3fdf17f907bbacaa1680cbb8870d7

SHA512
4a95ba2ff98c6ca6e520671c24c2bd98b1fea0b5511f73d93184d4a452d32986665b343c1d6e237b6343cd0018859bab2317026a1b9038e52957a07a55b96f11

Download Submit
memory/1716-44-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1716-46-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1716-37-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1716-41-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1716-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1716-35-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1716-47-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1716-39-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1984-2-0x000000007177D000-0x0000000071788000-memory.dmp

Filesize
44KB

Download
memory/1984-33-0x000000007177D000-0x0000000071788000-memory.dmp

Filesize
44KB

Download
memory/1984-0-0x000000002FC01000-0x000000002FC02000-memory.dmp

Filesize
4KB

Download
memory/1984-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2984-34-0x00000000009E0000-0x0000000000A6E000-memory.dmp

Filesize
568KB

Download
memory/2984-28-0x0000000000340000-0x000000000035E000-memory.dmp

Filesize
120KB

Download
memory/2984-27-0x0000000000CF0000-0x0000000000E1A000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing