vipkeylogger | 932cf2933a07b9c1faab746a77c998b089f4d9e7b4e2624163cb8c01e2ee2358

General

Target

PO-62557788SH.js
Size

752KB
MD5

db3e4011e7b2533932683bc39ef8ffa0
SHA1

27c8fd3fbbe09bd718863c2272df1ca2132718c2
SHA256

932cf2933a07b9c1faab746a77c998b089f4d9e7b4e2624163cb8c01e2ee2358
SHA512

8c91411cf77838f20b3942626be6ee6ec79c8b2b03ebff3a9512977c443e3c4b496d3a481165486eb26213e2c8db34d9160badd0efc77803fce818312eaf8c09
SSDEEP

3072:RvGI4oVl/Eo/CdHpmLP5CLyQWVSNsjFM+Zle6gm3uYIM+Vi+WEA5S1nC9bqUDb:R/azm3QWVisjF8z1sqsb

Score

10^/10

vipkeylogger collection discovery execution keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7961896666:AAH5NHUbQ0_ZDUI-eR-qs1bzNqVFLV-O0VY/sendMessage?chat_id=1151539471

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2012	wscript.exe
7	2012	wscript.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
5	2012	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
2932	mkdecgno.3gp

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	checkip.dyndns.org
10	reallyfreegeoip.org
11	reallyfreegeoip.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2932 set thread context of 2948	2932	mkdecgno.3gp	34

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mkdecgno.3gp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2932	mkdecgno.3gp

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2932	mkdecgno.3gp
2932	mkdecgno.3gp
2932	mkdecgno.3gp
2932	mkdecgno.3gp
2932	mkdecgno.3gp
2932	mkdecgno.3gp
2932	mkdecgno.3gp
2932	mkdecgno.3gp
2948	RegSvcs.exe
2948	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	RegSvcs.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2860	2012	wscript.exe	31
PID 2012 wrote to memory of 2860	2012	wscript.exe	31
PID 2012 wrote to memory of 2860	2012	wscript.exe	31
PID 2860 wrote to memory of 2932	2860	cmd.exe	33
PID 2860 wrote to memory of 2932	2860	cmd.exe	33
PID 2860 wrote to memory of 2932	2860	cmd.exe	33
PID 2860 wrote to memory of 2932	2860	cmd.exe	33
PID 2932 wrote to memory of 2948	2932	mkdecgno.3gp	34
PID 2932 wrote to memory of 2948	2932	mkdecgno.3gp	34
PID 2932 wrote to memory of 2948	2932	mkdecgno.3gp	34
PID 2932 wrote to memory of 2948	2932	mkdecgno.3gp	34
PID 2932 wrote to memory of 2948	2932	mkdecgno.3gp	34
PID 2932 wrote to memory of 2948	2932	mkdecgno.3gp	34
PID 2932 wrote to memory of 2948	2932	mkdecgno.3gp	34
PID 2932 wrote to memory of 2948	2932	mkdecgno.3gp	34
PID 2932 wrote to memory of 2948	2932	mkdecgno.3gp	34
PID 2932 wrote to memory of 2948	2932	mkdecgno.3gp	34
PID 2932 wrote to memory of 2948	2932	mkdecgno.3gp	34
PID 2932 wrote to memory of 2948	2932	mkdecgno.3gp	34

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\PO-62557788SH.js
1⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Local\Temp\goflmxnxqnesk\mkdecgno.3gp" "C:\Users\Admin\AppData\Local\Temp\goflmxnxqnesk\doskbhpcf.mp3""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\goflmxnxqnesk\mkdecgno.3gp
    "C:\Users\Admin\AppData\Local\Temp\goflmxnxqnesk\mkdecgno.3gp" "C:\Users\Admin\AppData\Local\Temp\goflmxnxqnesk\doskbhpcf.mp3"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

1

T1217

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GOFLMX~1\tepxqoaajisf.bls

Filesize
296B

MD5
ecfbef6e56139be9efd00d9015d476ec

SHA1
1538bf6e05289ca86879f5f266edd9bb78984cf6

SHA256
1b7033cc9d34c7bfcfe9ccc88e62815ceaea115be1214848c82453df8253eacb

SHA512
05f5267de89592640fd23860f4208935d2d41af246ca34ff0e989f5c5f9865396efd48b926ad749584b2423b26feb57ab72b3fce4b875baef63259e16f152622

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOFLMX~1\vosf.lsq

Filesize
627KB

MD5
c66af68196580aaba0007045ce20e770

SHA1
34085e624b1b179e62f29b4a0edc279bc429d854

SHA256
bd6797b83ba4b36ccd32fb3a453ad036dcbe514dd89e7d7d4985bef812bf72ed

SHA512
d406408e627629d5f62b84d4c4b8d6d1607b3c79188247437d9e61314ac6f77c08309497478e06c488c9fc9d9b5cb699cdcb3660424a78b770f541d677201d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\goflmxnxqnesk\doskbhpcf.mp3

Filesize
930KB

MD5
a224a99613680c9f62222278eabdca6d

SHA1
c54b0c5b214ecc82ddd029f4bac298b117181813

SHA256
b9767d9336f63b5b92b31d1e6b9e1c1891a0c62828a80a789fb358b03daf4b9d

SHA512
e1a0baa62c119abc5594b48f9441aeea56e29d67e8c5350cf3b9edbcdc5e9699157875f470f9af17d8110bd441d6fc3cbaedd96f11ff91fbbebbab11310e31f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\goflmxnxqnesk\mkdecgno.3gp

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
memory/2948-31-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2948-33-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2948-37-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2948-35-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2948-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2948-30-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2948-29-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2948-28-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2948-38-0x0000000073D7E000-0x0000000073D7F000-memory.dmp

Filesize
4KB

Download
memory/2948-39-0x0000000073D70000-0x000000007445E000-memory.dmp

Filesize
6.9MB

Download
memory/2948-40-0x0000000073D7E000-0x0000000073D7F000-memory.dmp

Filesize
4KB

Download
memory/2948-41-0x0000000073D70000-0x000000007445E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing