vipkeylogger | 037289c207c8e229d728f247c2d7eb1459fb4413fcd4fe662f74c711169a1e08

Analysis

max time kernel
116s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
20/03/2025, 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

void/469a30082aeff1c7367a5c98d83d4230947500771e86738903a026859f870f1b.ps1
Size

951B
MD5

991bfc052219f7e9b6e77e2268c08947
SHA1

c6e8df55948ed92caa0401c28dfeb474c02136ef
SHA256

469a30082aeff1c7367a5c98d83d4230947500771e86738903a026859f870f1b
SHA512

bf7a963c06de9f3f66eb568f94bdeda1ea0236c39d8db768e7ecb942018fc1d7effc42295acebb114b7f40bdae5d72756eb1413d7221577bf202051fb7123fd4

Score

10^/10

vipkeylogger collection discovery execution keylogger stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
Acess2code

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
Acess2code
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Blocklisted process makes network request 1 IoCs

flow	pid	Process
16	4368	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
16	4368	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4584	cosse.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	reallyfreegeoip.org
26	reallyfreegeoip.org
22	checkip.dyndns.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral12/files/0x0004000000016917-31.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4584 set thread context of 5372	4584	cosse.exe	93

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4368	powershell.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1488	4584	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cosse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4368	powershell.exe
4368	powershell.exe
5372	RegSvcs.exe
5372	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4584	cosse.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	5372	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4584	cosse.exe
4584	cosse.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4584	cosse.exe
4584	cosse.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 6000	4368	powershell.exe	88
PID 4368 wrote to memory of 6000	4368	powershell.exe	88
PID 6000 wrote to memory of 244	6000	csc.exe	89
PID 6000 wrote to memory of 244	6000	csc.exe	89
PID 4368 wrote to memory of 4584	4368	powershell.exe	92
PID 4368 wrote to memory of 4584	4368	powershell.exe	92
PID 4368 wrote to memory of 4584	4368	powershell.exe	92
PID 4584 wrote to memory of 5372	4584	cosse.exe	93
PID 4584 wrote to memory of 5372	4584	cosse.exe	93
PID 4584 wrote to memory of 5372	4584	cosse.exe	93
PID 4584 wrote to memory of 5372	4584	cosse.exe	93

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\void\469a30082aeff1c7367a5c98d83d4230947500771e86738903a026859f870f1b.ps1
1⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jpd3crvk\jpd3crvk.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6000
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES885A.tmp" "c:\Users\Admin\AppData\Local\Temp\jpd3crvk\CSC9B59E7E270FA4B26AA644DAF15BFBD76.TMP"
    3⤵
    PID:244
- C:\Users\Admin\AppData\Roaming\cosse.exe
  "C:\Users\Admin\AppData\Roaming\cosse.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Roaming\cosse.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:5372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 692
    3⤵
    - Program crash
    PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4584 -ip 4584
1⤵
PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES885A.tmp

Filesize
1KB

MD5
d532d67887b0dab2e4dd6dde3b04bd66

SHA1
8291d3464d80fc4e71e8604b80544ea6674d5d55

SHA256
ea06ab748c9d0c669b49f72f86781a0d5d58e8796d8abdbde0519009c52a09a4

SHA512
763fd7d3e4a9a06f9560719c11f8e7bf7f8a915493e147be16a94124de1f81579f6a210224fea5a6e017bd7f1d9ab86bfd4037e9666258ee22f6a9b6c4d065dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ymepxvcl.oti.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpd3crvk\jpd3crvk.dll

Filesize
3KB

MD5
6ce6ca157316c891b6e74dd20fc5f83a

SHA1
5947932d4c446c99c60a2321e5c2e4b944b818cf

SHA256
c85984e7944b6339e6144087d0659eceb551c8ed1a1025a9dacdc045df3138f4

SHA512
5642ef5b9ff3f225c10f20ae1e4bcf523f05c585bae00a7c11820242ba89e3f5d82f127bff5919713cbbcf6b7eb1c36db440afda69d17058d7a737aba537bc91

Download Submit
C:\Users\Admin\AppData\Roaming\cosse.exe

Filesize
1020KB

MD5
4397e5bc5bc3c6d79b917b17e8b122f3

SHA1
007b6e094526fb0bb0978672ff50024e1cc635fc

SHA256
63cae99ed47a3a8ad4fcf212d71c0700f5f99390f188ab2c45e17d1c4618ff04

SHA512
fd7dca44dbd973cff67d1a0cc2a80fbe2857d464d9c0d44988225c0104bce8b4b33ee01201ae3b91fecf07b2c5bef118b2a61514904b73272a5de4fa54ade386

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jpd3crvk\CSC9B59E7E270FA4B26AA644DAF15BFBD76.TMP

Filesize
652B

MD5
6772e7f624da62d51074dda637cb7e27

SHA1
d6a70168f519c2ff06be87be4a0836f4063e9fe1

SHA256
0cae1539b13cfa75c6561f7376f1a37b72c57ed35cb79ffeb8407362501aabad

SHA512
bfdf9236e7eedb945d10ae77a2ef3ab0c5b45240afe75e3eff1783c2dc3b3451032752016dc1545b120d6945bc27e4965fed31d3ba19d04c53a1a60e3d7c8393

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jpd3crvk\jpd3crvk.0.cs

Filesize
470B

MD5
fc199e95b98fd2bef9dc8c75ac49fd5c

SHA1
389c49f099b5da6b47d07e9de292d553c6713f83

SHA256
c443f29fb2f6d18f4cb0813c178248952b8856a8e27a157ce046e7eecd99604f

SHA512
07b4af2f464e011646d0deb2bd1639cc0ade38b507b84230ee3d4863416a6a9c9d9e6678a438ae203bd534adbe1160198c6575d87f8a88ce440aefd1d018d7ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jpd3crvk\jpd3crvk.cmdline

Filesize
369B

MD5
5dc7abaa5c696ed25f1442acaafdd3df

SHA1
bffd3dfeb4a5b7067b937a86d7bd26e8f0c50a3a

SHA256
65f59f1bac8a124004c6a2a466a2934fdd0f944ae03af36e5e87899807e2f35e

SHA512
73afd52e5de06d47ebcb24dc0252280a562dadfcbbf808402cab3978ed63b8a5581969ceeeb41b351589f8287c9e34078d25182b56fc40aa3f48943a6d66b405

Download Submit
memory/4368-0-0x00007FFD3C8C3000-0x00007FFD3C8C5000-memory.dmp

Filesize
8KB

Download
memory/4368-12-0x00007FFD3C8C0000-0x00007FFD3D381000-memory.dmp

Filesize
10.8MB

Download
memory/4368-25-0x000002CF97510000-0x000002CF97518000-memory.dmp

Filesize
32KB

Download
memory/4368-11-0x00007FFD3C8C0000-0x00007FFD3D381000-memory.dmp

Filesize
10.8MB

Download
memory/4368-10-0x000002CF97520000-0x000002CF97542000-memory.dmp

Filesize
136KB

Download
memory/4368-42-0x00007FFD3C8C0000-0x00007FFD3D381000-memory.dmp

Filesize
10.8MB

Download
memory/5372-50-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/5372-51-0x0000000005EE0000-0x0000000006484000-memory.dmp

Filesize
5.6MB

Download
memory/5372-52-0x0000000005870000-0x000000000590C000-memory.dmp

Filesize
624KB

Download
memory/5372-53-0x0000000006D20000-0x0000000006EE2000-memory.dmp

Filesize
1.8MB

Download
memory/5372-54-0x0000000006BB0000-0x0000000006C00000-memory.dmp

Filesize
320KB

Download
memory/5372-55-0x0000000007520000-0x0000000007A4C000-memory.dmp

Filesize
5.2MB

Download
memory/5372-56-0x0000000007090000-0x0000000007122000-memory.dmp

Filesize
584KB

Download
memory/5372-57-0x0000000007040000-0x000000000704A000-memory.dmp

Filesize
40KB

Download