Overview

overview

10

Static

static

3

New Order ...ry.exe

windows7-x64

10

New Order ...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-01-2025 17:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New Order 12960 Inquiry.exe

  • Size

    767KB

  • MD5

    5c009b0e4bb639e8dd7f5a1921f6d942

  • SHA1

    5af4ef8bf1091d5e85016dbbd860fafd595d464c

  • SHA256

    a8c8535f49c3869518e9d62f95086e5ac36526ea61d4203aa8d2077d33ae9faa

  • SHA512

    064163938ad379c9bd77a38b6f64b127f67b909ae8ddc2cf0d1b88451b04b188bf4e9d47d42f42d4fe3a097dc5e2c31a6a9434a9fb7236fba6f4d7ba67ff5fc3

  • SSDEEP

    12288:VC4sBuaYOTSwX7Ky7AcBC3/FGDetYd4ZMl7DNeNSSHkCO9X:Y4taZTSIpBdeg4ZMppvSE39X

Score
10/10
vipkeyloggercollectiondiscoverykeyloggerstealer

Malware Config

Extracted

Family

vipkeylogger

Credentials
C2

https://api.telegram.org/bot8066712820:AAEAb01u8B6eDO5xCMdAz6XCOHC_L2RpVGo/sendMessage?chat_id=7667424178

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger
  • Vipkeylogger family
    vipkeylogger
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Order 12960 Inquiry.exe
    "C:\Users\Admin\AppData\Local\Temp\New Order 12960 Inquiry.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:244
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/244-8-0x0000000075260000-0x0000000075A10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/244-2-0x0000000005F60000-0x0000000006504000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/244-9-0x0000000003360000-0x00000000033EE000-memory.dmp

    Filesize

    568KB

    Download

  • memory/244-10-0x000000000DC80000-0x000000000DD1C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/244-4-0x0000000075260000-0x0000000075A10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/244-5-0x0000000005980000-0x000000000598A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/244-6-0x0000000005C50000-0x0000000005C6E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/244-7-0x000000007526E000-0x000000007526F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/244-0-0x000000007526E000-0x000000007526F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/244-1-0x0000000000EE0000-0x0000000000FA6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/244-3-0x00000000059B0000-0x0000000005A42000-memory.dmp

    Filesize

    584KB

    Download

  • memory/244-14-0x0000000075260000-0x0000000075A10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2564-13-0x0000000075260000-0x0000000075A10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2564-15-0x0000000075260000-0x0000000075A10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2564-11-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2564-16-0x00000000065F0000-0x00000000067B2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2564-17-0x0000000006480000-0x00000000064D0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2564-18-0x0000000075260000-0x0000000075A10000-memory.dmp

    Filesize

    7.7MB

    Download