vipkeylogger | be05520944103cfdddcd92ce66e56ae66a5cb544e0669a4dd6297afabb3c75bf

General

Target

INV.exe
Size

785KB
MD5

6f6bd4f765b048c7a58c68e7293024ad
SHA1

100a27316219257dfba134c3e62371978ab71dee
SHA256

52d2efe5c3788bd0e364e13cc0dbf7ad049aecab204f4032acded2c75c28c4a9
SHA512

af27bab8159a4ee7a1e009656a0e9b6a482aaaf9d315cd6264517d6b8689fc796db5c208a39b9fe4077acd2ab5e832daf3cf18227c28d3e6e3260ed0cdbc24cc
SSDEEP

12288:9wrxQOrPOZVJHK66J/O2e/xzmD75CLL9w2HMt6J/sEaYjdT5lnSBJ:9c0VJ6J/OL/ZmD75ibFaoFl

Score

10^/10

vipkeylogger collection discovery execution keylogger spyware stealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot8105864443:AAG0t_w0l1AtL3uv_XoOBi0uESWJlCjvFyg/sendMessage?chat_id=739441159

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2204	powershell.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	INV.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	INV.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	INV.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org
8	reallyfreegeoip.org
9	reallyfreegeoip.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2400 set thread context of 2872	2400	INV.exe	35

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INV.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2400	INV.exe
2400	INV.exe
2872	INV.exe
2204	powershell.exe
2872	INV.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	INV.exe
Token: SeDebugPrivilege	2872	INV.exe
Token: SeDebugPrivilege	2204	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2204	2400	INV.exe	31
PID 2400 wrote to memory of 2204	2400	INV.exe	31
PID 2400 wrote to memory of 2204	2400	INV.exe	31
PID 2400 wrote to memory of 2204	2400	INV.exe	31
PID 2400 wrote to memory of 2844	2400	INV.exe	33
PID 2400 wrote to memory of 2844	2400	INV.exe	33
PID 2400 wrote to memory of 2844	2400	INV.exe	33
PID 2400 wrote to memory of 2844	2400	INV.exe	33
PID 2400 wrote to memory of 2872	2400	INV.exe	35
PID 2400 wrote to memory of 2872	2400	INV.exe	35
PID 2400 wrote to memory of 2872	2400	INV.exe	35
PID 2400 wrote to memory of 2872	2400	INV.exe	35
PID 2400 wrote to memory of 2872	2400	INV.exe	35
PID 2400 wrote to memory of 2872	2400	INV.exe	35
PID 2400 wrote to memory of 2872	2400	INV.exe	35
PID 2400 wrote to memory of 2872	2400	INV.exe	35
PID 2400 wrote to memory of 2872	2400	INV.exe	35

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	INV.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	INV.exe

C:\Users\Admin\AppData\Local\Temp\INV.exe
"C:\Users\Admin\AppData\Local\Temp\INV.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mZIoGLX.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZIoGLX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD578.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2844
- C:\Users\Admin\AppData\Local\Temp\INV.exe
  "C:\Users\Admin\AppData\Local\Temp\INV.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Browser Information Discovery

1

T1217

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD578.tmp

Filesize
1KB

MD5
195f44b4c3d58fb561244637744f5acd

SHA1
bf7eb99804e48eb174d3cfaee82d8b54a62d386d

SHA256
d867a0395c139262bfac5837c5b672a5c4a1a9a1419f770f43fea0a3d422500e

SHA512
06154f1b557e6c3106bc0e934a73b0ea8a6b08a4141e794d6360ae23d54c129224c4a52023ca8549265b753e7c147838be66e4b7765bec7059d82eea9a580557

Download Submit
memory/2400-27-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2400-1-0x0000000000A10000-0x0000000000ADA000-memory.dmp

Filesize
808KB

Download
memory/2400-2-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2400-3-0x0000000001FA0000-0x0000000001FBE000-memory.dmp

Filesize
120KB

Download
memory/2400-4-0x00000000740CE000-0x00000000740CF000-memory.dmp

Filesize
4KB

Download
memory/2400-5-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2400-6-0x0000000000310000-0x000000000039E000-memory.dmp

Filesize
568KB

Download
memory/2400-0-0x00000000740CE000-0x00000000740CF000-memory.dmp

Filesize
4KB

Download
memory/2872-16-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2872-13-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2872-24-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2872-14-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2872-22-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2872-21-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2872-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2872-18-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads