vipkeylogger | d7821ba940b6c2a56687df8e47d53420e222e6c4a1033ce6f9367b9cd6ef1756

Analysis

max time kernel
121s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30-01-2025 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RemittanceAdvice2000255566644.exe
Size

1.1MB
MD5

d3382c7ece891478f530aa870b8dfe9c
SHA1

dfc9a03d58c27797a6f22488ad4d92abc110c3ac
SHA256

d7821ba940b6c2a56687df8e47d53420e222e6c4a1033ce6f9367b9cd6ef1756
SHA512

ad37198368118b2fb87021095f03ebb3e37ff66f7b41dd982fdfc8d4a6d36fe3d2312edac0f3650d8bbe4a58831e6b3a1e7658bf2f7d139d23f1c751fa488629
SSDEEP

24576:eAHnh+eWsN3skA4RV1Hom2KXFmIaDgx0dFrhIOdcG5:Jh+ZkldoPK1XaDNhIk

Score

10^/10

vipkeylogger collection discovery keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

https://api.telegram.org/bot8043603189:AAFpR2ormgQgQpP5aDirNgZd72aHXUsGdlI/sendMessage?chat_id=2135869667

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chordates.vbs	chordates.exe

Executes dropped EXE 2 IoCs

pid	Process
2824	chordates.exe
2964	chordates.exe

Loads dropped DLL 2 IoCs

pid	Process
564	RemittanceAdvice2000255566644.exe
2824	chordates.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org
8	reallyfreegeoip.org
9	reallyfreegeoip.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0008000000018b05-13.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2964 set thread context of 2732	2964	chordates.exe	33

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RemittanceAdvice2000255566644.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chordates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chordates.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2732	RegSvcs.exe
2732	RegSvcs.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2824	chordates.exe
2964	chordates.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	RegSvcs.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
564	RemittanceAdvice2000255566644.exe
564	RemittanceAdvice2000255566644.exe
2824	chordates.exe
2824	chordates.exe
2964	chordates.exe
2964	chordates.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
564	RemittanceAdvice2000255566644.exe
564	RemittanceAdvice2000255566644.exe
2824	chordates.exe
2824	chordates.exe
2964	chordates.exe
2964	chordates.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 2824	564	RemittanceAdvice2000255566644.exe	30
PID 564 wrote to memory of 2824	564	RemittanceAdvice2000255566644.exe	30
PID 564 wrote to memory of 2824	564	RemittanceAdvice2000255566644.exe	30
PID 564 wrote to memory of 2824	564	RemittanceAdvice2000255566644.exe	30
PID 2824 wrote to memory of 2792	2824	chordates.exe	31
PID 2824 wrote to memory of 2792	2824	chordates.exe	31
PID 2824 wrote to memory of 2792	2824	chordates.exe	31
PID 2824 wrote to memory of 2792	2824	chordates.exe	31
PID 2824 wrote to memory of 2792	2824	chordates.exe	31
PID 2824 wrote to memory of 2792	2824	chordates.exe	31
PID 2824 wrote to memory of 2792	2824	chordates.exe	31
PID 2824 wrote to memory of 2964	2824	chordates.exe	32
PID 2824 wrote to memory of 2964	2824	chordates.exe	32
PID 2824 wrote to memory of 2964	2824	chordates.exe	32
PID 2824 wrote to memory of 2964	2824	chordates.exe	32
PID 2964 wrote to memory of 2732	2964	chordates.exe	33
PID 2964 wrote to memory of 2732	2964	chordates.exe	33
PID 2964 wrote to memory of 2732	2964	chordates.exe	33
PID 2964 wrote to memory of 2732	2964	chordates.exe	33
PID 2964 wrote to memory of 2732	2964	chordates.exe	33
PID 2964 wrote to memory of 2732	2964	chordates.exe	33
PID 2964 wrote to memory of 2732	2964	chordates.exe	33
PID 2964 wrote to memory of 2732	2964	chordates.exe	33

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\RemittanceAdvice2000255566644.exe
"C:\Users\Admin\AppData\Local\Temp\RemittanceAdvice2000255566644.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:564
- C:\Users\Admin\AppData\Local\Idonna\chordates.exe
  "C:\Users\Admin\AppData\Local\Temp\RemittanceAdvice2000255566644.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RemittanceAdvice2000255566644.exe"
    3⤵
    PID:2792
- - C:\Users\Admin\AppData\Local\Idonna\chordates.exe
    "C:\Users\Admin\AppData\Local\Idonna\chordates.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Idonna\chordates.exe"
      4⤵
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut7F9B.tmp

Filesize
10KB

MD5
f8066f98f99caafd6bde7197765bf7c9

SHA1
0bad0416ba8452b7ec218ae9028691f183bdf837

SHA256
c929a1e8cf945f9cfcda2998e85ef7514e7b6a7283dac2faf30a718ad7b1d722

SHA512
5ee29ec693d9e9f452d381a990ce0299543115eb0ca73795e5334a71ef7415b7ba573f1b11653ed19cc594eaa08013e67ca0e560a58cc928dd75970abd756fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut80D4.tmp

Filesize
233KB

MD5
e8735099c45f63b21d41cb9f331346a8

SHA1
6bd119d74d4d323ca6ca7c836ea3d3a42d3ebcf4

SHA256
6dd5ee60aa1462d912b3b094c5a351604cf4149a2dfda1ed5259df62f04293a2

SHA512
dfcfe90d84188b23784b5565f2bd05b7934a00f2fcc5736992726e5e7568187e3d00d71d3486104e58d6d8affc59ad44cb7f36cb56ce23930fb196d62d17fa63

Download Submit
C:\Users\Admin\AppData\Local\Temp\myriopodous

Filesize
56KB

MD5
bac267db158dd7efe3cff819fa3c557b

SHA1
ba847404a3623777e70a1e26529a842e2caf55cd

SHA256
6fe1a22452dcdad9fd5b4714b5dc0e263828e64cbaac15d78f470e675da606c9

SHA512
63e4c117237a9801d682c4f4819a21a1635bdd1aca8e531d27992dbaab464ba5a1ada4d5e2bdb5de4b5237e5c346ddcff5b6c840d41b90893034f1314e265e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\spado

Filesize
243KB

MD5
4a7456fe8b8506fe36e98fc67d9c0036

SHA1
5e5f8003adffac0bbee9bc792cdacb86626442ad

SHA256
a23e694f671c751bf1d25cabd58c8dcb8b67bbd6b150683e8f8d4446655113aa

SHA512
c6bfc637c07035aff93071c5eb4b8a163f6220f16af6012b9e848fb56c00c75b88dd8c0a58d8a8cabaebd0fd6e1de4f72e0ac086565103d3fd1b7fa9c104da5f

Download Submit
\Users\Admin\AppData\Local\Idonna\chordates.exe

Filesize
1.1MB

MD5
d3382c7ece891478f530aa870b8dfe9c

SHA1
dfc9a03d58c27797a6f22488ad4d92abc110c3ac

SHA256
d7821ba940b6c2a56687df8e47d53420e222e6c4a1033ce6f9367b9cd6ef1756

SHA512
ad37198368118b2fb87021095f03ebb3e37ff66f7b41dd982fdfc8d4a6d36fe3d2312edac0f3650d8bbe4a58831e6b3a1e7658bf2f7d139d23f1c751fa488629

Download Submit
memory/564-11-0x0000000000820000-0x0000000000C20000-memory.dmp

Filesize
4.0MB

Download
memory/2732-78-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-83-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2732-51-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2732-52-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2732-53-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/2732-54-0x0000000000BD0000-0x0000000000C2E000-memory.dmp

Filesize
376KB

Download
memory/2732-55-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2732-56-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2732-57-0x0000000000C50000-0x0000000000CAC000-memory.dmp

Filesize
368KB

Download
memory/2732-59-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-85-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-58-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-61-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-65-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-67-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-72-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-73-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-75-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-1153-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2732-79-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-87-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-89-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-1152-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2732-81-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-69-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-63-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-103-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-117-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-115-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-113-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-111-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-109-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-107-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-105-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-101-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-99-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-97-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-95-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-93-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-91-0x0000000000C50000-0x0000000000CA7000-memory.dmp

Filesize
348KB

Download
memory/2732-1148-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2732-1149-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2732-1150-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/2732-1151-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-31-0x0000000000760000-0x0000000000B60000-memory.dmp

Filesize
4.0MB

Download
memory/2964-48-0x0000000000840000-0x0000000000C40000-memory.dmp

Filesize
4.0MB

Download