vipkeylogger | 037289c207c8e229d728f247c2d7eb1459fb4413fcd4fe662f74c711169a1e08

Analysis

max time kernel
117s
max time network
126s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
20/03/2025, 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

void/469a30082aeff1c7367a5c98d83d4230947500771e86738903a026859f870f1b.ps1
Size

951B
MD5

991bfc052219f7e9b6e77e2268c08947
SHA1

c6e8df55948ed92caa0401c28dfeb474c02136ef
SHA256

469a30082aeff1c7367a5c98d83d4230947500771e86738903a026859f870f1b
SHA512

bf7a963c06de9f3f66eb568f94bdeda1ea0236c39d8db768e7ecb942018fc1d7effc42295acebb114b7f40bdae5d72756eb1413d7221577bf202051fb7123fd4

Score

10^/10

vipkeylogger collection discovery execution keylogger stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
Acess2code

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
Acess2code
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	804	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
4	804	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2788	cosse.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	checkip.dyndns.org
7	reallyfreegeoip.org
8	reallyfreegeoip.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral11/files/0x000a000000016d1b-34.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2788 set thread context of 2872	2788	cosse.exe	36

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
804	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cosse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
804	powershell.exe
2872	RegSvcs.exe
2872	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2788	cosse.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	804	powershell.exe
Token: SeDebugPrivilege	2872	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2788	cosse.exe
2788	cosse.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2788	cosse.exe
2788	cosse.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 2580	804	powershell.exe	32
PID 804 wrote to memory of 2580	804	powershell.exe	32
PID 804 wrote to memory of 2580	804	powershell.exe	32
PID 2580 wrote to memory of 2928	2580	csc.exe	33
PID 2580 wrote to memory of 2928	2580	csc.exe	33
PID 2580 wrote to memory of 2928	2580	csc.exe	33
PID 804 wrote to memory of 2788	804	powershell.exe	35
PID 804 wrote to memory of 2788	804	powershell.exe	35
PID 804 wrote to memory of 2788	804	powershell.exe	35
PID 804 wrote to memory of 2788	804	powershell.exe	35
PID 2788 wrote to memory of 2872	2788	cosse.exe	36
PID 2788 wrote to memory of 2872	2788	cosse.exe	36
PID 2788 wrote to memory of 2872	2788	cosse.exe	36
PID 2788 wrote to memory of 2872	2788	cosse.exe	36
PID 2788 wrote to memory of 2872	2788	cosse.exe	36
PID 2788 wrote to memory of 2872	2788	cosse.exe	36
PID 2788 wrote to memory of 2872	2788	cosse.exe	36
PID 2788 wrote to memory of 2872	2788	cosse.exe	36

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\void\469a30082aeff1c7367a5c98d83d4230947500771e86738903a026859f870f1b.ps1
1⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tvr92vhc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD76C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD76B.tmp"
    3⤵
    PID:2928
- C:\Users\Admin\AppData\Roaming\cosse.exe
  "C:\Users\Admin\AppData\Roaming\cosse.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Roaming\cosse.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD76C.tmp

Filesize
1KB

MD5
44b55a44126fdf340cd285d14eab2b9b

SHA1
44cfa17fb357f03dabe4351b2612cf25a38c4ca6

SHA256
79777f7180b574fb6c589005feddcce862f9d24e634469faa2426df08f8ad6f5

SHA512
9ffdf9524d51bb69879d81b0a123f8af3f6c6fc727bc94f13a61f1bf6fe4a7598c051b16b1fa23cb75f86338b9ee86660a1410d0d016bcefe08971be9d9104f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvr92vhc.dll

Filesize
3KB

MD5
af2d853fa14cbe446360851160670104

SHA1
d8b7e160d5ced5b12915acbe2a3ab7fb85e3328d

SHA256
b8fc28062c87b8ef73f1e88c4f706ab3f5cb431d27bad7fd529b74790fd5f7ae

SHA512
f829b2ae52eaaf35d3a3ae8cc8f2d088bf316a4f83e3e526b36de11ef157559f20972554be2bc80b56d7bd47ecf6d2d9fb772607dc23a9f8c7668b80c8f40a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvr92vhc.pdb

Filesize
7KB

MD5
abbc43426c5135edddc42182fdc3648d

SHA1
97083486f798344b6e9d6b5b5a8636a4e0cbd841

SHA256
d04d6003e8b5104c9870e1cb7c525b1a0cc48604d61ab780203c8f52140fce05

SHA512
c9ae3a92bb1acb95638032c7c8666c1050ec6275c7a90fa6e06ca4bd70b225eded86d3347468fd77c1b96603e8bc20360158378d061cbad0624fec5ffc77c146

Download Submit
C:\Users\Admin\AppData\Roaming\cosse.exe

Filesize
1020KB

MD5
4397e5bc5bc3c6d79b917b17e8b122f3

SHA1
007b6e094526fb0bb0978672ff50024e1cc635fc

SHA256
63cae99ed47a3a8ad4fcf212d71c0700f5f99390f188ab2c45e17d1c4618ff04

SHA512
fd7dca44dbd973cff67d1a0cc2a80fbe2857d464d9c0d44988225c0104bce8b4b33ee01201ae3b91fecf07b2c5bef118b2a61514904b73272a5de4fa54ade386

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD76B.tmp

Filesize
652B

MD5
1deb1699968301bd5374f1b58dff7f21

SHA1
7b094a132c0a6df718df99e36c85d8573a76f68a

SHA256
1259241f54d104940ba8d51c7271b635236d5908d0b97c966a6bb6595f8d6d2a

SHA512
db90d9e1c17619a0dbb54af0923ee8830d8b86c07321d79d68d5fbebf52980c19c90bbb1e936bde23608344b86f30fc1402c0835e7a8d34d445ed84743b99b92

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tvr92vhc.0.cs

Filesize
470B

MD5
fc199e95b98fd2bef9dc8c75ac49fd5c

SHA1
389c49f099b5da6b47d07e9de292d553c6713f83

SHA256
c443f29fb2f6d18f4cb0813c178248952b8856a8e27a157ce046e7eecd99604f

SHA512
07b4af2f464e011646d0deb2bd1639cc0ade38b507b84230ee3d4863416a6a9c9d9e6678a438ae203bd534adbe1160198c6575d87f8a88ce440aefd1d018d7ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tvr92vhc.cmdline

Filesize
309B

MD5
e8d378cb2845535c89309fc67d541859

SHA1
c629de44ae11259c9f5f0ee10e39902076745e73

SHA256
18723318095a6fdeb60a7f66f430778a1944b300ab6998add5adf8530a90567b

SHA512
d14ee235a10ba70139507bb736407afb9921d883d94f4bd521dd05bc2b07a6eea8f05528e65218ff5f33f875c751a5fe50d9a3d0c19abf2137cb6c1137fa537b

Download Submit
memory/804-32-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

Filesize
9.6MB

Download
memory/804-31-0x000007FEF54AE000-0x000007FEF54AF000-memory.dmp

Filesize
4KB

Download
memory/804-11-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

Filesize
9.6MB

Download
memory/804-38-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

Filesize
9.6MB

Download
memory/804-7-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

Filesize
9.6MB

Download
memory/804-24-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/804-6-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/804-5-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/804-4-0x000007FEF54AE000-0x000007FEF54AF000-memory.dmp

Filesize
4KB

Download
memory/2580-17-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

Filesize
9.6MB

Download
memory/2580-22-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

Filesize
9.6MB

Download
memory/2872-45-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2872-46-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2872-47-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download