Malware Analysis Report

2025-08-05 14:44

Sample ID 250701-h7pp8sgr2v
Target Teklif Talebi - Talep No-25T1847_docx.exe
SHA256 dc717f613c531df66e04f17cb2718064c1e3f469c585008eebf98cd69928274f
Tags
vipkeylogger collection discovery keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc717f613c531df66e04f17cb2718064c1e3f469c585008eebf98cd69928274f

Threat Level: Known bad

The file Teklif Talebi - Talep No-25T1847_docx.exe was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection discovery keylogger stealer

VIPKeylogger

Vipkeylogger family

Drops startup file

Executes dropped EXE

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

AutoIT Executable

System Location Discovery: System Language Discovery

Browser Information Discovery

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-01 07:22

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-01 07:22

Reported

2025-07-01 07:25

Platform

win10v2004-20250610-en

Max time kernel

105s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Teklif Talebi - Talep No-25T1847_docx.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\subbasaltic.vbs C:\Users\Admin\AppData\Local\emboweling\subbasaltic.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\emboweling\subbasaltic.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3001560346-2020497773-4190896137-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3001560346-2020497773-4190896137-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3001560346-2020497773-4190896137-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A reallyfreegeoip.org N/A N/A
N/A reallyfreegeoip.org N/A N/A
N/A checkip.dyndns.org N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4040 set thread context of 4804 N/A C:\Users\Admin\AppData\Local\emboweling\subbasaltic.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Teklif Talebi - Talep No-25T1847_docx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\emboweling\subbasaltic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\emboweling\subbasaltic.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3001560346-2020497773-4190896137-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3001560346-2020497773-4190896137-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Teklif Talebi - Talep No-25T1847_docx.exe

"C:\Users\Admin\AppData\Local\Temp\Teklif Talebi - Talep No-25T1847_docx.exe"

C:\Users\Admin\AppData\Local\emboweling\subbasaltic.exe

"C:\Users\Admin\AppData\Local\Temp\Teklif Talebi - Talep No-25T1847_docx.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\Teklif Talebi - Talep No-25T1847_docx.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.112.1:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/2948-6-0x0000000000BB0000-0x0000000000FB0000-memory.dmp

C:\Users\Admin\AppData\Local\emboweling\subbasaltic.exe

MD5 a0256a1a007911f53f83941f5afa5d16
SHA1 549d496171239b5a8c6563c84447d701c7ab4180
SHA256 dc717f613c531df66e04f17cb2718064c1e3f469c585008eebf98cd69928274f
SHA512 dd9b0b755c92d4c83e351997f9f0aae16b42a3661e8be4a2b8bf816490d37d5405d52edf3bcfc96d3a7d03139f1fa782cda9d4bc8b307fcc64054fe7072079c2

C:\Users\Admin\AppData\Local\Temp\poufs

MD5 515efbbe56567cb8d624c9f03d82a64b
SHA1 a34f3acbab65d8173a962a7e587ad99c7a59a06a
SHA256 284411cd6dec4817149a727a028a01c5accc4e44843ec3be3692dee7f983ed34
SHA512 768c155fd75f8847eb71e5b116e2ceb4891f0364fbf04a27bc9a09dcc8df232b5c8be0535bbe1d72b6a03d35e99f896cc86d45aa52d81c4ce6ac96d5ad3a18b4

memory/4040-18-0x0000000001AA0000-0x0000000001EA0000-memory.dmp

memory/4804-20-0x0000000000400000-0x0000000000448000-memory.dmp

memory/4804-21-0x0000000005A70000-0x0000000006014000-memory.dmp

memory/4804-22-0x0000000005570000-0x000000000560C000-memory.dmp

memory/4804-23-0x0000000005510000-0x0000000005520000-memory.dmp

memory/4804-24-0x0000000006A00000-0x0000000006BC2000-memory.dmp

memory/4804-25-0x00000000068A0000-0x00000000068F0000-memory.dmp

memory/4804-26-0x0000000005510000-0x0000000005520000-memory.dmp

memory/4804-27-0x0000000006CD0000-0x0000000006D62000-memory.dmp

memory/4804-28-0x00000000069F0000-0x00000000069FA000-memory.dmp