vipkeylogger | 1792b62467af9326272e0190ddd1e22c6217f23637ab47b9fbe0098ca3800c6d

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HPichHAekHXL0i2.exe
Size

735KB
MD5

25eaa2d8a1a973c77f37f07c0f0dd2fe
SHA1

57f72cf8d22f5fd5e0472a928faeb938b7a362e7
SHA256

1792b62467af9326272e0190ddd1e22c6217f23637ab47b9fbe0098ca3800c6d
SHA512

487ef85e16c835b552e1ec43489e6c2b44a9d41b365c869a95f3206f3f75a5ed7842991a745222e1e36276411769bb36f8f4eec4824b22ddde82e2f0a94f2eb3
SSDEEP

12288:NbdQiKaxRvjVoNUy/zS9iDCQJU5dlAW37yFPYELKa:pdQibRZy/cQCIwdlf3Qr

Score

10^/10

vipkeylogger discovery execution keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.steadfastlogistics.in
Port:
587
Username:
[email protected]
Password:
slf@2023
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2896	powershell.exe
2352	powershell.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2384 set thread context of 2996	2384	HPichHAekHXL0i2.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1688	2996	WerFault.exe	39

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HPichHAekHXL0i2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2384	HPichHAekHXL0i2.exe
2352	powershell.exe
2896	powershell.exe
2384	HPichHAekHXL0i2.exe
2384	HPichHAekHXL0i2.exe
2384	HPichHAekHXL0i2.exe
2384	HPichHAekHXL0i2.exe
2384	HPichHAekHXL0i2.exe
2384	HPichHAekHXL0i2.exe
2384	HPichHAekHXL0i2.exe
2996	vbc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	HPichHAekHXL0i2.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2996	vbc.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2896	2384	HPichHAekHXL0i2.exe	30
PID 2384 wrote to memory of 2896	2384	HPichHAekHXL0i2.exe	30
PID 2384 wrote to memory of 2896	2384	HPichHAekHXL0i2.exe	30
PID 2384 wrote to memory of 2896	2384	HPichHAekHXL0i2.exe	30
PID 2384 wrote to memory of 2352	2384	HPichHAekHXL0i2.exe	32
PID 2384 wrote to memory of 2352	2384	HPichHAekHXL0i2.exe	32
PID 2384 wrote to memory of 2352	2384	HPichHAekHXL0i2.exe	32
PID 2384 wrote to memory of 2352	2384	HPichHAekHXL0i2.exe	32
PID 2384 wrote to memory of 3036	2384	HPichHAekHXL0i2.exe	34
PID 2384 wrote to memory of 3036	2384	HPichHAekHXL0i2.exe	34
PID 2384 wrote to memory of 3036	2384	HPichHAekHXL0i2.exe	34
PID 2384 wrote to memory of 3036	2384	HPichHAekHXL0i2.exe	34
PID 2384 wrote to memory of 2780	2384	HPichHAekHXL0i2.exe	36
PID 2384 wrote to memory of 2780	2384	HPichHAekHXL0i2.exe	36
PID 2384 wrote to memory of 2780	2384	HPichHAekHXL0i2.exe	36
PID 2384 wrote to memory of 2780	2384	HPichHAekHXL0i2.exe	36
PID 2384 wrote to memory of 2624	2384	HPichHAekHXL0i2.exe	37
PID 2384 wrote to memory of 2624	2384	HPichHAekHXL0i2.exe	37
PID 2384 wrote to memory of 2624	2384	HPichHAekHXL0i2.exe	37
PID 2384 wrote to memory of 2624	2384	HPichHAekHXL0i2.exe	37
PID 2384 wrote to memory of 2796	2384	HPichHAekHXL0i2.exe	38
PID 2384 wrote to memory of 2796	2384	HPichHAekHXL0i2.exe	38
PID 2384 wrote to memory of 2796	2384	HPichHAekHXL0i2.exe	38
PID 2384 wrote to memory of 2796	2384	HPichHAekHXL0i2.exe	38
PID 2384 wrote to memory of 2996	2384	HPichHAekHXL0i2.exe	39
PID 2384 wrote to memory of 2996	2384	HPichHAekHXL0i2.exe	39
PID 2384 wrote to memory of 2996	2384	HPichHAekHXL0i2.exe	39
PID 2384 wrote to memory of 2996	2384	HPichHAekHXL0i2.exe	39
PID 2384 wrote to memory of 2996	2384	HPichHAekHXL0i2.exe	39
PID 2384 wrote to memory of 2996	2384	HPichHAekHXL0i2.exe	39
PID 2384 wrote to memory of 2996	2384	HPichHAekHXL0i2.exe	39
PID 2384 wrote to memory of 2996	2384	HPichHAekHXL0i2.exe	39
PID 2384 wrote to memory of 2996	2384	HPichHAekHXL0i2.exe	39
PID 2996 wrote to memory of 1688	2996	vbc.exe	40
PID 2996 wrote to memory of 1688	2996	vbc.exe	40
PID 2996 wrote to memory of 1688	2996	vbc.exe	40
PID 2996 wrote to memory of 1688	2996	vbc.exe	40

C:\Users\Admin\AppData\Local\Temp\HPichHAekHXL0i2.exe
"C:\Users\Admin\AppData\Local\Temp\HPichHAekHXL0i2.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\HPichHAekHXL0i2.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ylDfXNTY.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ylDfXNTY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1584.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 1064
    3⤵
    - Program crash
    PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1584.tmp

Filesize
1KB

MD5
6d36713f8ece71d440e1300d64a449d5

SHA1
9fa4609b041c0ca3b9f87b67495a6623e6225cd5

SHA256
88362b84d87c784a661abd8617c29e8a187fe7647dda273d0150a3d8ee7deda6

SHA512
201157aa3c81bdf8cdd3dd59d3d743667e87730b3dbbc0ae496ea779e845d23468783c3720e6181189b613ab0c1ab2f990d4194ebc4f7d9c8f69032b8278289d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0b228b72451234d6c92540dd85234386

SHA1
a9694d4920ae48a8d43fd459c1fc37bb3b8755d1

SHA256
997bcdaad412465296de94c19f810dc9c62bcdfa4de180d35d27f2b80fc4bd93

SHA512
042a02c5fc13036e492fab7c432c74ccdf8bd24bde3757104a800b6f7731fdeece012b066f32050237429f57e6f005a851429241d9a5f35807987b36632f1a0c

Download Submit
memory/2384-4-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

Filesize
4KB

Download
memory/2384-32-0x0000000074CC0000-0x00000000753AE000-memory.dmp

Filesize
6.9MB

Download
memory/2384-0-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

Filesize
4KB

Download
memory/2384-5-0x0000000074CC0000-0x00000000753AE000-memory.dmp

Filesize
6.9MB

Download
memory/2384-6-0x0000000006000000-0x000000000608E000-memory.dmp

Filesize
568KB

Download
memory/2384-2-0x0000000074CC0000-0x00000000753AE000-memory.dmp

Filesize
6.9MB

Download
memory/2384-1-0x0000000000930000-0x00000000009EC000-memory.dmp

Filesize
752KB

Download
memory/2384-3-0x0000000000470000-0x0000000000488000-memory.dmp

Filesize
96KB

Download
memory/2996-19-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2996-29-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2996-31-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2996-28-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2996-27-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2996-25-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2996-22-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2996-23-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download