vipkeylogger | 037289c207c8e229d728f247c2d7eb1459fb4413fcd4fe662f74c711169a1e08

Analysis

max time kernel
43s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
20/03/2025, 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

void/469a30082aeff1c7367a5c98d83d4230947500771e86738903a026859f870f1b.ps1
Size

951B
MD5

991bfc052219f7e9b6e77e2268c08947
SHA1

c6e8df55948ed92caa0401c28dfeb474c02136ef
SHA256

469a30082aeff1c7367a5c98d83d4230947500771e86738903a026859f870f1b
SHA512

bf7a963c06de9f3f66eb568f94bdeda1ea0236c39d8db768e7ecb942018fc1d7effc42295acebb114b7f40bdae5d72756eb1413d7221577bf202051fb7123fd4

Score

10^/10

vipkeylogger collection discovery execution keylogger stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
Acess2code

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
Acess2code
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	5116	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
1	5116	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4816	cosse.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	checkip.dyndns.org
20	reallyfreegeoip.org
21	reallyfreegeoip.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral12/files/0x00080000000241e8-31.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4816 set thread context of 2520	4816	cosse.exe	92

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5116	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cosse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5116	powershell.exe
5116	powershell.exe
2520	RegSvcs.exe
2520	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4816	cosse.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	2520	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4816	cosse.exe
4816	cosse.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4816	cosse.exe
4816	cosse.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 4800	5116	powershell.exe	89
PID 5116 wrote to memory of 4800	5116	powershell.exe	89
PID 4800 wrote to memory of 4572	4800	csc.exe	90
PID 4800 wrote to memory of 4572	4800	csc.exe	90
PID 5116 wrote to memory of 4816	5116	powershell.exe	91
PID 5116 wrote to memory of 4816	5116	powershell.exe	91
PID 5116 wrote to memory of 4816	5116	powershell.exe	91
PID 4816 wrote to memory of 2520	4816	cosse.exe	92
PID 4816 wrote to memory of 2520	4816	cosse.exe	92
PID 4816 wrote to memory of 2520	4816	cosse.exe	92
PID 4816 wrote to memory of 2520	4816	cosse.exe	92

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\void\469a30082aeff1c7367a5c98d83d4230947500771e86738903a026859f870f1b.ps1
1⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\junoxuew\junoxuew.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6959.tmp" "c:\Users\Admin\AppData\Local\Temp\junoxuew\CSC772AFF147DD643F899E569164512E78C.TMP"
    3⤵
    PID:4572
- C:\Users\Admin\AppData\Roaming\cosse.exe
  "C:\Users\Admin\AppData\Roaming\cosse.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Roaming\cosse.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6959.tmp

Filesize
1KB

MD5
9abe001210ef6683405030e95b28febd

SHA1
f96c29cc97d5846c4889671bf038ab5cdef356e3

SHA256
fce589bbcb7cd3e9a1d846bfd2a05a5617cd9b6ec2b9d32779c5b8e1246811ac

SHA512
fc4f337b107886457b7bc20b12cbaa83520175dc2e1af4bcbe76993e24a3443d965bf6fd4c447514611b45b3d6c86ed7201644f9f32d3c4806473f36e2b3d0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_15f32r4t.503.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\junoxuew\junoxuew.dll

Filesize
3KB

MD5
a2367f7844ab31caf085d72cab1cab72

SHA1
87b0d118904d35b20bc2283aa2285d6f026b40b5

SHA256
f9590f74896d293015db4283d668290ba757601b89f031624ae09a46b6c12bd5

SHA512
35af597a4a76ff5c18beafcdfe04a35ad325195234b03bc1bf3bdbfaf264f74745fbdb5eed23b437eb57dee77004ae0591676613c56afd094495b575fdbf7d99

Download Submit
C:\Users\Admin\AppData\Roaming\cosse.exe

Filesize
1020KB

MD5
4397e5bc5bc3c6d79b917b17e8b122f3

SHA1
007b6e094526fb0bb0978672ff50024e1cc635fc

SHA256
63cae99ed47a3a8ad4fcf212d71c0700f5f99390f188ab2c45e17d1c4618ff04

SHA512
fd7dca44dbd973cff67d1a0cc2a80fbe2857d464d9c0d44988225c0104bce8b4b33ee01201ae3b91fecf07b2c5bef118b2a61514904b73272a5de4fa54ade386

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\junoxuew\CSC772AFF147DD643F899E569164512E78C.TMP

Filesize
652B

MD5
61e52b8ef588808baf331fb5bd01413e

SHA1
b52a9a29a66b811d393238800bbfcd90eee710f5

SHA256
ca84f68ac18878e125fa773487f8b034cadc877bf87fcb807e333f52f0f81f70

SHA512
f5bfb67e6dac3908c9fc306232033acf87a268d6e355fbf2917f47f7057a8b484ea7cd08585388eab6703a3a113639b2a6e49a9836ea0f2d498f734096cdbf00

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\junoxuew\junoxuew.0.cs

Filesize
470B

MD5
fc199e95b98fd2bef9dc8c75ac49fd5c

SHA1
389c49f099b5da6b47d07e9de292d553c6713f83

SHA256
c443f29fb2f6d18f4cb0813c178248952b8856a8e27a157ce046e7eecd99604f

SHA512
07b4af2f464e011646d0deb2bd1639cc0ade38b507b84230ee3d4863416a6a9c9d9e6678a438ae203bd534adbe1160198c6575d87f8a88ce440aefd1d018d7ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\junoxuew\junoxuew.cmdline

Filesize
369B

MD5
b1a9f8224542d40488b0d4bde8fa3c46

SHA1
4938201f32d3f5a1a43a4fe931ba7aacc20e5e42

SHA256
44e41750feeeb9e0b04b49e981225bdea035b37ee3f203c48e5d8168671bfbdc

SHA512
982993bf753f4ca3716f5709c7928f35884d8a8e1ea0b0bff309de5e614bbfbcc6c0bb998793626795075b76646609cf22081392e515e830ab489222f7498460

Download Submit
memory/2520-53-0x0000000006960000-0x0000000006B22000-memory.dmp

Filesize
1.8MB

Download
memory/2520-54-0x0000000006800000-0x0000000006850000-memory.dmp

Filesize
320KB

Download
memory/2520-57-0x0000000006C80000-0x0000000006C8A000-memory.dmp

Filesize
40KB

Download
memory/2520-51-0x00000000059E0000-0x0000000005F84000-memory.dmp

Filesize
5.6MB

Download
memory/2520-55-0x0000000007160000-0x000000000768C000-memory.dmp

Filesize
5.2MB

Download
memory/2520-50-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2520-52-0x00000000054D0000-0x000000000556C000-memory.dmp

Filesize
624KB

Download
memory/2520-56-0x0000000006CD0000-0x0000000006D62000-memory.dmp

Filesize
584KB

Download
memory/5116-12-0x00007FFA79180000-0x00007FFA79C41000-memory.dmp

Filesize
10.8MB

Download
memory/5116-0-0x00007FFA79183000-0x00007FFA79185000-memory.dmp

Filesize
8KB

Download
memory/5116-42-0x00007FFA79180000-0x00007FFA79C41000-memory.dmp

Filesize
10.8MB

Download
memory/5116-10-0x000001A13DF60000-0x000001A13DF82000-memory.dmp

Filesize
136KB

Download
memory/5116-11-0x00007FFA79180000-0x00007FFA79C41000-memory.dmp

Filesize
10.8MB

Download
memory/5116-25-0x000001A13DF50000-0x000001A13DF58000-memory.dmp

Filesize
32KB

Download