Overview

overview

10

Static

static

5

DHLDOCINV1...gz.exe

windows7-x64

10

DHLDOCINV1...gz.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    02-01-2025 12:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHLDOCINV191224.gz.exe

  • Size

    1.1MB

  • MD5

    49a44e1bd7ae31824843c4316f35eb35

  • SHA1

    29ca56d04c4d089d7aa30df2d3480988da425fc0

  • SHA256

    9ea5173104481c6538cb5fcdadc74682b3d422750039ab3311afe694e59b4602

  • SHA512

    c7e88ce41dd529f69d5a9aeb0d6a87fff85872215eb92815a67eb4b6533ff19a0e985572185b1ebda374635684ac8a1a7cde7737e780676ebb09f4d9aa98c600

  • SSDEEP

    24576:SqDEvCTbMWu7rQYlBQcBiT6rprG8aThZqa2nU5:STvC/MTQYxsWR7aTd2

Score
10/10
vipkeyloggerdiscoverykeyloggerstealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7289689475:AAGFe7RPg26YJkJcwIEyxRK_I9DsBw4teZU/sendMessage?chat_id=7360475312

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger
  • Vipkeylogger family
    vipkeylogger
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHLDOCINV191224.gz.exe
    "C:\Users\Admin\AppData\Local\Temp\DHLDOCINV191224.gz.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\DHLDOCINV191224.gz.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2792

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1700-6-0x0000000000EA0000-0x00000000012A0000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2792-7-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2792-11-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2792-9-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2792-12-0x000000007416E000-0x000000007416F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2792-13-0x0000000074160000-0x000000007484E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2792-14-0x000000007416E000-0x000000007416F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2792-15-0x0000000074160000-0x000000007484E000-memory.dmp

    Filesize

    6.9MB

    Download