vipkeylogger | 640b9f47f147b0d38fbcacb6aa057f67a32f8aa3fa4dfc45a83ef439319317a6

Analysis

max time kernel
121s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
14/02/2025, 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SHIP PARTICULARS.exe
Size

1.1MB
MD5

7e01f412c2520b42e189f327f0b9fb89
SHA1

895317fb7c2939ee5dd0a6dd9dcb745dcf908ffa
SHA256

640b9f47f147b0d38fbcacb6aa057f67a32f8aa3fa4dfc45a83ef439319317a6
SHA512

eb0d2b0702e84497ce411118e7ed69309cccd9f06d9b63fc0e40b8abef8084d32522d21adeaced6e02f62c6e884e8a5dcccf22773e0fcb92d928895484d475c5
SSDEEP

24576:Au6J33O0c+JY5UZ+XC0kGso6Fau8sSB6l+aJWY:qu0c++OCvkGs9FauPS2+3Y

Score

10^/10

vipkeylogger collection discovery keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

https://api.telegram.org/bot7779092393:AAG1iBZU_dRiHJk5QaPmqA4YnolU1rdteJE/sendMessage?chat_id=2135869667

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\subbasaltic.vbs	subbasaltic.exe

Executes dropped EXE 5 IoCs

pid	Process
2520	subbasaltic.exe
1984	subbasaltic.exe
2700	subbasaltic.exe
2796	subbasaltic.exe
2712	subbasaltic.exe

Loads dropped DLL 2 IoCs

pid	Process
1484	SHIP PARTICULARS.exe
2520	subbasaltic.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org
8	reallyfreegeoip.org
12	reallyfreegeoip.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0006000000018704-13.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2712 set thread context of 2456	2712	subbasaltic.exe	40

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SHIP PARTICULARS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	subbasaltic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	subbasaltic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	subbasaltic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	subbasaltic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	subbasaltic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2456	RegSvcs.exe
2456	RegSvcs.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2520	subbasaltic.exe
1984	subbasaltic.exe
2700	subbasaltic.exe
2796	subbasaltic.exe
2712	subbasaltic.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2456	RegSvcs.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
1484	SHIP PARTICULARS.exe
1484	SHIP PARTICULARS.exe
2520	subbasaltic.exe
2520	subbasaltic.exe
1984	subbasaltic.exe
1984	subbasaltic.exe
2700	subbasaltic.exe
2700	subbasaltic.exe
2796	subbasaltic.exe
2796	subbasaltic.exe
2712	subbasaltic.exe
2712	subbasaltic.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1484	SHIP PARTICULARS.exe
1484	SHIP PARTICULARS.exe
2520	subbasaltic.exe
2520	subbasaltic.exe
1984	subbasaltic.exe
1984	subbasaltic.exe
2700	subbasaltic.exe
2700	subbasaltic.exe
2796	subbasaltic.exe
2796	subbasaltic.exe
2712	subbasaltic.exe
2712	subbasaltic.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 2520	1484	SHIP PARTICULARS.exe	31
PID 1484 wrote to memory of 2520	1484	SHIP PARTICULARS.exe	31
PID 1484 wrote to memory of 2520	1484	SHIP PARTICULARS.exe	31
PID 1484 wrote to memory of 2520	1484	SHIP PARTICULARS.exe	31
PID 2520 wrote to memory of 2152	2520	subbasaltic.exe	32
PID 2520 wrote to memory of 2152	2520	subbasaltic.exe	32
PID 2520 wrote to memory of 2152	2520	subbasaltic.exe	32
PID 2520 wrote to memory of 2152	2520	subbasaltic.exe	32
PID 2520 wrote to memory of 2152	2520	subbasaltic.exe	32
PID 2520 wrote to memory of 2152	2520	subbasaltic.exe	32
PID 2520 wrote to memory of 2152	2520	subbasaltic.exe	32
PID 2520 wrote to memory of 1984	2520	subbasaltic.exe	33
PID 2520 wrote to memory of 1984	2520	subbasaltic.exe	33
PID 2520 wrote to memory of 1984	2520	subbasaltic.exe	33
PID 2520 wrote to memory of 1984	2520	subbasaltic.exe	33
PID 1984 wrote to memory of 2820	1984	subbasaltic.exe	34
PID 1984 wrote to memory of 2820	1984	subbasaltic.exe	34
PID 1984 wrote to memory of 2820	1984	subbasaltic.exe	34
PID 1984 wrote to memory of 2820	1984	subbasaltic.exe	34
PID 1984 wrote to memory of 2820	1984	subbasaltic.exe	34
PID 1984 wrote to memory of 2820	1984	subbasaltic.exe	34
PID 1984 wrote to memory of 2820	1984	subbasaltic.exe	34
PID 1984 wrote to memory of 2700	1984	subbasaltic.exe	35
PID 1984 wrote to memory of 2700	1984	subbasaltic.exe	35
PID 1984 wrote to memory of 2700	1984	subbasaltic.exe	35
PID 1984 wrote to memory of 2700	1984	subbasaltic.exe	35
PID 2700 wrote to memory of 2720	2700	subbasaltic.exe	36
PID 2700 wrote to memory of 2720	2700	subbasaltic.exe	36
PID 2700 wrote to memory of 2720	2700	subbasaltic.exe	36
PID 2700 wrote to memory of 2720	2700	subbasaltic.exe	36
PID 2700 wrote to memory of 2720	2700	subbasaltic.exe	36
PID 2700 wrote to memory of 2720	2700	subbasaltic.exe	36
PID 2700 wrote to memory of 2720	2700	subbasaltic.exe	36
PID 2700 wrote to memory of 2796	2700	subbasaltic.exe	37
PID 2700 wrote to memory of 2796	2700	subbasaltic.exe	37
PID 2700 wrote to memory of 2796	2700	subbasaltic.exe	37
PID 2700 wrote to memory of 2796	2700	subbasaltic.exe	37
PID 2796 wrote to memory of 2704	2796	subbasaltic.exe	38
PID 2796 wrote to memory of 2704	2796	subbasaltic.exe	38
PID 2796 wrote to memory of 2704	2796	subbasaltic.exe	38
PID 2796 wrote to memory of 2704	2796	subbasaltic.exe	38
PID 2796 wrote to memory of 2704	2796	subbasaltic.exe	38
PID 2796 wrote to memory of 2704	2796	subbasaltic.exe	38
PID 2796 wrote to memory of 2704	2796	subbasaltic.exe	38
PID 2796 wrote to memory of 2712	2796	subbasaltic.exe	39
PID 2796 wrote to memory of 2712	2796	subbasaltic.exe	39
PID 2796 wrote to memory of 2712	2796	subbasaltic.exe	39
PID 2796 wrote to memory of 2712	2796	subbasaltic.exe	39
PID 2712 wrote to memory of 2456	2712	subbasaltic.exe	40
PID 2712 wrote to memory of 2456	2712	subbasaltic.exe	40
PID 2712 wrote to memory of 2456	2712	subbasaltic.exe	40
PID 2712 wrote to memory of 2456	2712	subbasaltic.exe	40
PID 2712 wrote to memory of 2456	2712	subbasaltic.exe	40
PID 2712 wrote to memory of 2456	2712	subbasaltic.exe	40
PID 2712 wrote to memory of 2456	2712	subbasaltic.exe	40
PID 2712 wrote to memory of 2456	2712	subbasaltic.exe	40

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\SHIP PARTICULARS.exe
"C:\Users\Admin\AppData\Local\Temp\SHIP PARTICULARS.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Local\peristeromorphous\subbasaltic.exe
  "C:\Users\Admin\AppData\Local\Temp\SHIP PARTICULARS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\SHIP PARTICULARS.exe"
    3⤵
    PID:2152
- - C:\Users\Admin\AppData\Local\peristeromorphous\subbasaltic.exe
    "C:\Users\Admin\AppData\Local\peristeromorphous\subbasaltic.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\peristeromorphous\subbasaltic.exe"
      4⤵
      PID:2820
  - - C:\Users\Admin\AppData\Local\peristeromorphous\subbasaltic.exe
      "C:\Users\Admin\AppData\Local\peristeromorphous\subbasaltic.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\peristeromorphous\subbasaltic.exe"
        5⤵
        
        PID:2720
    - - C:\Users\Admin\AppData\Local\peristeromorphous\subbasaltic.exe
        
        "C:\Users\Admin\AppData\Local\peristeromorphous\subbasaltic.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\peristeromorphous\subbasaltic.exe"
        6⤵
        
        PID:2704
      - C:\Users\Admin\AppData\Local\peristeromorphous\subbasaltic.exe
        
        "C:\Users\Admin\AppData\Local\peristeromorphous\subbasaltic.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\peristeromorphous\subbasaltic.exe"
        7⤵
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autD4CC.tmp

Filesize
233KB

MD5
3e85972504c9c155e7aec3ce459a0aa0

SHA1
3f5dbea1c47b8b1cdf16d2e58ddc4da5b77ef9ad

SHA256
8c2d77669468595cd5d58abf8297fccb741ff7da34b5106064a9f2e4f253774e

SHA512
19ed0ebf3ddd1f82bf4e3445ff0ac299f8c3a49b14044f6c4d439c350f4f307a99372d2c94b1e49f56e211aacc005e8ea5919e84c4cfadd0a06d790c75815cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\autD4DD.tmp

Filesize
9KB

MD5
645af7d27733ce622edd3a17c0406ffd

SHA1
684bc6987b12109ba7360172e35e352d29eeda97

SHA256
724c4a3a6982b4ecf47c15fc0851288e4a611337c5b0096f241fb3050c3472ff

SHA512
09e1001b817e729bfd8270eacf3e6f7f45e52bcf712677ea7da38820d51d56d830ed10d0737346d40af02f00c94f04f13e9ad27eccadc1f10fe53cef7d94303a

Download Submit
C:\Users\Admin\AppData\Local\Temp\epistemology

Filesize
243KB

MD5
72635a9c34378068e8bfef21a6906844

SHA1
342c36d0f60acba2d876723452742b8e7bfff03c

SHA256
b769c190804f9ee2eef31abcb8e2b3e49a13ded23059b038d945e02dc07f9a25

SHA512
81447f7e384dba02ccfb66e9a0dcbacde4c9db81bd168dd25a666ecc7874ed9913d290b6d890961b427a2d201f759cd91cf52781689fcb5223b29d3a081c183c

Download Submit
C:\Users\Admin\AppData\Local\Temp\meshummad

Filesize
29KB

MD5
2868726988adf0edfef323911bb3172f

SHA1
e7cf3545e404d6e678c4fd5b1ce180c94790302b

SHA256
4cf365d7e0e50964d8e85802fc879ecd9692e921555ab2f27db5a8f127beeb91

SHA512
816b2425cfaae340c820fc3e6ea888db0ba725be8be78e5761636eaa7a6f09d68a46a56eaad73f9d6c62ed0f0b74e8928d84d2b5752ea0b2143855424b81a413

Download Submit
\Users\Admin\AppData\Local\peristeromorphous\subbasaltic.exe

Filesize
1.1MB

MD5
7e01f412c2520b42e189f327f0b9fb89

SHA1
895317fb7c2939ee5dd0a6dd9dcb745dcf908ffa

SHA256
640b9f47f147b0d38fbcacb6aa057f67a32f8aa3fa4dfc45a83ef439319317a6

SHA512
eb0d2b0702e84497ce411118e7ed69309cccd9f06d9b63fc0e40b8abef8084d32522d21adeaced6e02f62c6e884e8a5dcccf22773e0fcb92d928895484d475c5

Download Submit
memory/1484-11-0x0000000000120000-0x0000000000124000-memory.dmp

Filesize
16KB

Download
memory/2456-136-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-130-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-91-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2456-92-0x0000000000A60000-0x0000000000ABC000-memory.dmp

Filesize
368KB

Download
memory/2456-93-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-94-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-96-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-98-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-100-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-102-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-104-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-110-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-114-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-138-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2456-134-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-133-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2456-128-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-126-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-124-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-122-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-120-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-118-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-116-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-112-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-108-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-106-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-140-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-142-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-144-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-146-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-148-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-150-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-152-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download
memory/2456-154-0x0000000000A60000-0x0000000000AB8000-memory.dmp

Filesize
352KB

Download