{
	"id": "e5cb0cf3-5c7a-4086-8e0f-7bca1e501545",
	"created_at": "2026-04-06T00:14:26.699267Z",
	"updated_at": "2026-04-10T03:21:53.722116Z",
	"deleted_at": null,
	"sha1_hash": "2f031f4e5d776ee60a40d575f1fe8b43f9ae7f8e",
	"title": "Malware Analysis - VIP Keylogger - Part 2",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 98560,
	"plain_text": "Malware Analysis - VIP Keylogger - Part 2\r\nBy Mandar Naik\r\nPublished: 2025-10-24 · Archived: 2026-04-05 18:40:44 UTC\r\nHello, Let’s continue with the analysis of VIP keylogger.\r\nFrom the first part of malware analysis, we ended up with two executables.\r\nWe will call them orange_part1.exe.vir that has an actual name being tzeyswvngw.tmp and orange_part2.exe.vir\r\nthat has an actual name being aaotaboryx.tmp\r\nThe file orange_part1.exe.vir has an SHA256 hash of,\r\n0cae791ae86fd4960e6f9d62aac7941b1eee669e8ae373b28b32fba45e4bf46e\r\nThe file is present on Virustotal and is being detected by 8 AV.\r\nFigure 1: Virustotal result of tzeyswvngw.tmp\r\nThe file is written in the .NET language, as shown by DIE.\r\nFigure 2: DIE of orange_part1.exe.vir\r\nWe can use dnSpy to view the decompiled source code.\r\nFigure 3: Decompiled source code of orange_part1.exe.vir\r\nThe main function is empty. We assume this is a dummy file that does nothing when executed.\r\nLet’s start with the analysis of the second file,\r\nThe second file orange_part2.exe.vir has an SHA256 hash of,\r\nca9e6eb1c8f2be20eaf9c220cf8482c264edd9c42389fc391eeed41dfe8de59b\r\nThe file is present on Virustotal and is being detected by 50 AV.\r\nFigure 4: Virustotal result of aaotaboryx.tmp\r\nThis file is also written in the .NET language, as shown by DIE\r\nhttps://mandarnaik016.in/blog/2025-10-25-malware-analysis-vip-keylogger-part2/\r\nPage 1 of 7\n\nFigure 5: DIE of orange_part2.exe.vir\r\nThe file orange_part2.exe.vir contains suspicious functions like VirtualProtect, CreateDecryptor, etc.\r\nFigure 6: Suspicious flags\r\nThe strings within do provide insightful data,\r\nFigure 7: Strings within orange_part2.exe.vir\r\nStrings insight (From fig. 7):\r\n1. Checks some values and extensions for condition matching.\r\n2. Base64 encoded strings for data obfuscation.\r\n3. Sets exclusions for itself in Microsoft Defender to evade detection.\r\nTo identify further capabilities, we use Capa,\r\nFigure 8: Capabilities of orange_part2.exe.vir\r\nWe load the sample in dnSpy and locate the main function to understand the behavior and execution flow.\r\nFigure 9: Initial code of orange_part2.exe.vir\r\nCode Insight (From fig. 9):\r\n1. The application executes with a hidden window. This is one of the capabilities we identified using Capa,\r\nbeing listed as “hide graphical window”.\r\n2. The “ntdll.dll” is loaded, and the “EtwEventWrite” function is used to turn off telemetry. It would be\r\ncategorized as “patch Event Tracing for Windows function”.\r\n3. From fig. 6, VirtualProtect is being used to make the memory location read-write.\r\n4. At last, the variable text of type string is being initialized.\r\nThe string text and its content are being passed through a series of operations, and the output is stored in the\r\nvariable array4.\r\nFigure 10: Deobfuscated data in variable array4\r\nThe function tftdhjpyudniswzlxstwqwgic returns the contents of the file xxxx.exe* from the manifest resources.\r\nFigure 11: Function to load content of file xxxx.exe\r\nhttps://mandarnaik016.in/blog/2025-10-25-malware-analysis-vip-keylogger-part2/\r\nPage 2 of 7\n\nThere exists a file named xxxx.exe* in the resource section, and it is not executable.\r\nFigure 12: File in resources section\r\nFigure 13: DIE of xxxx.exe\r\nThe function ybuqbwzamyefzwijdqsenomvw returns the AES decrypted data of the content of “xxxx*.exe” with the\r\nkeys and IV mentioned in the base64 encoded format.\r\nFigure 14: Function to decrypt content\r\nAt last, the function yjrhqztigcmthjjbmoycwxuai does the gzip decompression on the returned AES decrypted data.\r\nFigure 15: Function to decompress content\r\nTo get the content of the variable array4, we debug the application,\r\nFigure 16: Code debugging\r\nThe data stored in the memory location can be viewed. The magic byte MZ and this program cannot be run in\r\nDOS mode in the memory indicate that it is an executable file.\r\nFigure 17: Content of memory\r\nThe same set of operations, i.e., Get the content of a file, AES decryption, and GZIP decompression in CyberChef,\r\nalso yields the same executable file.\r\nFigure 18: Operation using cyberchef\r\nWe dump the file from memory for further analysis,\r\nThe file array4.dump has an SHA256 hash of,\r\n68e9d013f0867dfe02f531a17b0a08a8642b1fe49a8d9c8ec5f5bfdf8ec42199\r\nThe file is present on Virustotal with name as Remington.exe and is being detected by 62 AV.\r\nFigure 19: Virustotal result of array4.dump\r\nThe dumped file array4.dump is also written in .NET language, as shown by DIE.\r\nhttps://mandarnaik016.in/blog/2025-10-25-malware-analysis-vip-keylogger-part2/\r\nPage 3 of 7\n\nFigure 20: DIE of dumped data\r\nThe strings within array4.dump seem pretty interesting.\r\nFigure 21: Strings within array4.dump 1\r\nStrings insight (From fig. 21):\r\n1. A set of URLs along with a port number separated by , .\r\n2. Details such as Computer name, IP address, etc. This seems to be a unique identifier to segregate collected\r\ndata.\r\nFigure 22: Strings within array4.dump 2\r\nStrings insight (From fig. 22):\r\n1. Send PHP utilization to collect data and send it via a POST request to this web server.\r\n2. Screenshots and clipboard data can be exfiltrated along with keystrokes.\r\nThe key logger can exfiltrate data from a wide range of browsers,\r\nFigure 23: Strings within array4.dump 3\r\nAlong with browser data like saved passwords, cookies, and auto-fill information, it can also target email clients,\r\ne.g., Outlook.\r\nFigure 24: Strings within array4.dump 4\r\nWe again use dnSpy to view the decompiled source code,\r\nFigure 25: Obfuscated binary\r\nThis .NET file appears to be obfuscated. We deobfuscate the file using de4dot.\r\nFigure 26: Deobfuscation using de4dot\r\nWe re-open this deobfuscated file in a decompiler and locate the main function. The main function calls enormous\r\nnumbers of functions internally. Some of them contain dead code.\r\nFigure 27: Decompiled source code of array4.dump\r\nhttps://mandarnaik016.in/blog/2025-10-25-malware-analysis-vip-keylogger-part2/\r\nPage 4 of 7\n\nThe code contains an interesting part where a particular method takes two strings. One is constant, and the other is\r\nbase64 encoded. The returned data from this method is stored in variables that had the most occurrences within\r\nthe code.\r\nFigure 28: Variables with most occurrences\r\nThe method does DES decryption of the base64 encoded string, with the key being the first 8 bytes of the MD5\r\nhash of the constant string encoded in ASCII.\r\nFigure 29: Method to decrypt strings\r\nWe use the equivalent Python code to deobfuscate the data,\r\nimport base64\r\nimport hashlib\r\nfrom Crypto.Cipher import DES\r\ndef smethod_17(string_60: str, string_61: str) -\u003e str:\r\n try:\r\n # Step 1: Derive DES key from MD5 hash of the password\r\n md5_hash = hashlib.md5(string_61.encode('ascii')).digest()\r\n des_key = md5_hash[:8] # DES key = first 8 bytes of MD5\r\n # Step 2: Create DES cipher (ECB mode)\r\n des = DES.new(des_key, DES.MODE_ECB)\r\n # Step 3: Base64-decode the input string\r\n encrypted_data = base64.b64decode(string_60)\r\n # Step 4: Decrypt and convert back to ASCII string\r\n decrypted_data = des.decrypt(encrypted_data)\r\n # Step 5: Remove possible padding (DES often uses PKCS5/7)\r\n try:\r\n padding_len = decrypted_data[-1]\r\n if all(p == padding_len for p in decrypted_data[-padding_len:]):\r\n decrypted_data = decrypted_data[:-padding_len]\r\n except Exception:\r\n pass # if padding removal fails, keep raw bytes\r\n return decrypted_data.decode('ascii', errors='ignore')\r\n except Exception:\r\n return None\r\nhttps://mandarnaik016.in/blog/2025-10-25-malware-analysis-vip-keylogger-part2/\r\nPage 5 of 7\n\nWe get the following output. The output contains mail addresses, hostname, etc.\r\nFigure 30: Decrypted strings\r\nWe replace them in the initial source code (From fig. 28), and we get,\r\nFigure 31: Strings replaced\r\nThe variables strings_30 to strings_34 are used in most parts of the code; one of them is below,\r\nFigure 32: Function to exfiltrate data\r\nFrom the code, we can interpret that an email is initiated with the following,\r\nName Parameter\r\nSMTP host name mail[.]wiramas[.]com[.]my\r\nSMTP port number 587\r\ncredential Kwm@2024\r\nfrom mail rosli@wiramas[.]com[.]my\r\nto mail williamslucy570@gmail[.]com\r\nsubject PC Name: {username} | VIP Recovery\r\nbody Exfiltrated Data\r\nIOCs\r\nd6255b39e2be431e6226c8414b75721a16c114960f8a87acc06ea9fa7563006f\r\n0cae791ae86fd4960e6f9d62aac7941b1eee669e8ae373b28b32fba45e4bf46e\r\nca9e6eb1c8f2be20eaf9c220cf8482c264edd9c42389fc391eeed41dfe8de59b\r\n68e9d013f0867dfe02f531a17b0a08a8642b1fe49a8d9c8ec5f5bfdf8ec42199\r\nhxxp[://]varders[.]kozow[.]com:8081\r\nhxxp[://]aborters[.]duckdns[.]org:8081\r\nhxxp[://]anotherarmy[.]dns[.]army:8081\r\nhttp://51[.]38[.]247[.]67:8081/\r\n89[.]208[.]29[.]130\r\n69[.]55[.]5[.]249\r\n141[.]226[.]236[.]91\r\n3[.]23[.]155[.]57\r\nrosli@wiramas[.]com[.]my\r\nhttps://mandarnaik016.in/blog/2025-10-25-malware-analysis-vip-keylogger-part2/\r\nPage 6 of 7\n\nmail[.]wiramas[.]com[.]my\r\nwilliamslucy570@gmail[.]com\r\nWe meet next time dissecting another sample or comming up with an evasion technique until then السالمة رافقتك\r\nSource: https://mandarnaik016.in/blog/2025-10-25-malware-analysis-vip-keylogger-part2/\r\nhttps://mandarnaik016.in/blog/2025-10-25-malware-analysis-vip-keylogger-part2/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://mandarnaik016.in/blog/2025-10-25-malware-analysis-vip-keylogger-part2/"
	],
	"report_names": [
		"2025-10-25-malware-analysis-vip-keylogger-part2"
	],
	"threat_actors": [],
	"ts_created_at": 1775434466,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f031f4e5d776ee60a40d575f1fe8b43f9ae7f8e.pdf",
		"text": "https://archive.orkl.eu/2f031f4e5d776ee60a40d575f1fe8b43f9ae7f8e.txt",
		"img": "https://archive.orkl.eu/2f031f4e5d776ee60a40d575f1fe8b43f9ae7f8e.jpg"
	}
}