Analysis

  • max time kernel
    105s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/07/2025, 07:22

General

  • Target

    Teklif Talebi - Talep No-25T1847_docx.exe

  • Size

    1.1MB

  • MD5

    a0256a1a007911f53f83941f5afa5d16

  • SHA1

    549d496171239b5a8c6563c84447d701c7ab4180

  • SHA256

    dc717f613c531df66e04f17cb2718064c1e3f469c585008eebf98cd69928274f

  • SHA512

    dd9b0b755c92d4c83e351997f9f0aae16b42a3661e8be4a2b8bf816490d37d5405d52edf3bcfc96d3a7d03139f1fa782cda9d4bc8b307fcc64054fe7072079c2

  • SSDEEP

    24576:Z5EmXFtKaL4/oFe5T9yyXYfP1ijXdaOrqfqzZiM3dk+EIO:ZPVt/LZeJbInQRaOWiNiMNk+

Malware Config

Extracted

Family

vipkeylogger

Credentials
C2

https://api.telegram.org/bot8099843793:AAGeYKMLti1IpyT9o6bz7OtgdXF9md25uXA/sendMessage?chat_id=6337180137

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Vipkeylogger family
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Teklif Talebi - Talep No-25T1847_docx.exe
    "C:\Users\Admin\AppData\Local\Temp\Teklif Talebi - Talep No-25T1847_docx.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2948
    • C:\Users\Admin\AppData\Local\emboweling\subbasaltic.exe
      "C:\Users\Admin\AppData\Local\Temp\Teklif Talebi - Talep No-25T1847_docx.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4040
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\Teklif Talebi - Talep No-25T1847_docx.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:4804

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\poufs

          Filesize

          268KB

          MD5

          515efbbe56567cb8d624c9f03d82a64b

          SHA1

          a34f3acbab65d8173a962a7e587ad99c7a59a06a

          SHA256

          284411cd6dec4817149a727a028a01c5accc4e44843ec3be3692dee7f983ed34

          SHA512

          768c155fd75f8847eb71e5b116e2ceb4891f0364fbf04a27bc9a09dcc8df232b5c8be0535bbe1d72b6a03d35e99f896cc86d45aa52d81c4ce6ac96d5ad3a18b4

        • C:\Users\Admin\AppData\Local\emboweling\subbasaltic.exe

          Filesize

          1.1MB

          MD5

          a0256a1a007911f53f83941f5afa5d16

          SHA1

          549d496171239b5a8c6563c84447d701c7ab4180

          SHA256

          dc717f613c531df66e04f17cb2718064c1e3f469c585008eebf98cd69928274f

          SHA512

          dd9b0b755c92d4c83e351997f9f0aae16b42a3661e8be4a2b8bf816490d37d5405d52edf3bcfc96d3a7d03139f1fa782cda9d4bc8b307fcc64054fe7072079c2

        • memory/2948-6-0x0000000000BB0000-0x0000000000FB0000-memory.dmp

          Filesize

          4.0MB

        • memory/4040-18-0x0000000001AA0000-0x0000000001EA0000-memory.dmp

          Filesize

          4.0MB

        • memory/4804-22-0x0000000005570000-0x000000000560C000-memory.dmp

          Filesize

          624KB

        • memory/4804-21-0x0000000005A70000-0x0000000006014000-memory.dmp

          Filesize

          5.6MB

        • memory/4804-20-0x0000000000400000-0x0000000000448000-memory.dmp

          Filesize

          288KB

        • memory/4804-23-0x0000000005510000-0x0000000005520000-memory.dmp

          Filesize

          64KB

        • memory/4804-24-0x0000000006A00000-0x0000000006BC2000-memory.dmp

          Filesize

          1.8MB

        • memory/4804-25-0x00000000068A0000-0x00000000068F0000-memory.dmp

          Filesize

          320KB

        • memory/4804-26-0x0000000005510000-0x0000000005520000-memory.dmp

          Filesize

          64KB

        • memory/4804-27-0x0000000006CD0000-0x0000000006D62000-memory.dmp

          Filesize

          584KB

        • memory/4804-28-0x00000000069F0000-0x00000000069FA000-memory.dmp

          Filesize

          40KB