{
	"id": "21623e12-9c66-4518-9bda-7f852ce01ec4",
	"created_at": "2026-04-06T00:22:00.891956Z",
	"updated_at": "2026-04-10T03:19:56.353729Z",
	"deleted_at": null,
	"sha1_hash": "c85164a6d91c911f8e44a7075125661921aaa5e8",
	"title": "A Lazarus Keylogger- PSLogger – One Night in Norfolk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 709983,
	"plain_text": "A Lazarus Keylogger- PSLogger – One Night in Norfolk\r\nPublished: 2019-01-22 · Archived: 2026-04-05 17:02:06 UTC\r\nThis blog recently referenced a late July VNCert report containing file-based IOCs affiliated with attempted\r\nintrusions against financial organizations in Vietnam. Several contextual and technical characteristics of these files\r\ntie them to recent activity typically attributed to North Korean adversaries with a specific interest in the financial\r\nsector.\r\nThis post explores the technical characteristics of one of these files, a keylogging and screengrabbing utility. Two\r\nversions of this utility have appeared in-the-wild. The first is directly identified in the VNCert alert and is a DLL\r\ninjected via a modified version of the open-source PowerSploit framework. The second is a standalone executable\r\nsubmitted to VirusTotal by a user in Pakistan (and possibly used in an intrusion in that region).\r\nsyschk.ps1 (Vietnam)\r\nMD5: 26466867557f84dd4784845280da1f27\r\nSHA1: ed7fcb9023d63cd9367a3a455ec94337bb48628a\r\nSHA256: 791205487bae0ac814440573e992ba2ed259dca45c4e51874325a8a673fa5ef6\r\nSyschk.ps1 contains three primary components: (1) A Base64 encoded DLL, (2) a Base64 encoded variant of\r\nPowerSploit’s Invoke-ReflectivePEInjection, and (3) a routine for decoding and executing these components. This\r\nscript also contains references to “c:\\windows\\temp\\TMP0389A.tmp” (noted in the previous post for its similarity\r\nto another DPRK file path and directory) and “c:\\programdata\\1.dat” as part of a “remove-item” cmdlet routine.\r\nThe Base64 DLL can be copied, converted, and saved to another file for analysis.\r\nExtracted DLL\r\nMD5: d45931632ed9e11476325189ccb6b530\r\nSHA1: 081d5bd155916f8a7236c1ea2148513c0c2c9a33\r\nSHA256: efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e\r\nThe extracted malware is designed for 64-bit operating systems and contains an export named “Process.” The\r\nmalware has two primary functions: grabbing keystroke (and clipboard) data, and grabbing screen captures of the\r\nuser’s desktop. At launch, the malware creates a file at “c:\\windows\\temp\\TMP0389A.tmp” containing the\r\ndirectory that the malware will save files in.\r\nNext, the file begins monitoring keystrokes. These are logged and saved to a hardcoded path (visible in plaintext)\r\nwithin the user’s “AppData\\Local\\Temp” directory under a folder named “GoogleChrome” in a file named\r\n“chromeupdater_pk.” The keylogging routine uses the GetKeyState and GetAsyncKeyState APIs and is not\r\nsophisticated, and logged keystroke and clipboard context is saved in plaintext.\r\nThe malware’s other functionality is to capture the desktop, compressing the images and saving them in the same\r\ndirectory. These files are saved with the filename format chromeupdater_ps_[timestamp]. Notably, the malware\r\nuses two open-source implementations to achieve this. To capture the desktop, it uses code likely derived from this\r\nhttps://norfolkinfosec.com/a-lazarus-keylogger-pslogger/\r\nPage 1 of 6\n\nexample (or code from which that example was derived). To perform compression, the malware uses the XZip\r\nlibrary, a derivation of the Info-Zip project. The combination of these characteristics is useful for identifying an\r\nadditional variant of this malware.\r\nOpen-source screengrabbing implementation (left) and disassembled code graph (right).\r\nOpen-source XZip code implementation.\r\nHSMBalance.exe\r\nhttps://norfolkinfosec.com/a-lazarus-keylogger-pslogger/\r\nPage 2 of 6\n\nMD5 34404a3fb9804977c6ab86cb991fb130\r\nSHA1 b345e6fae155bfaf79c67b38cf488bb17d5be56d\r\nSHA256 c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec\r\nThe open-source screengrabbing code used in the keylogger from the Vietnam incident is relatively uncommon:\r\nwhile a basic VirusTotal pivot on one of the more distinct strings from this code identifies dozens of additional\r\nfiles that use it, most belong to a benign screen-sharing package. On the other hand, the malicious files include the\r\nVietnam keylogger and a second keylogger submitted by a user in Pakistan with strikingly similar static and\r\ndynamic properties (the hash of this file is listed above). A brief static analysis identifies the following strings:\r\nCDisplayHandlesPool: GetDC failed\r\nCDisplayHandlesPool: EnumDisplayMonitors failed\r\nCreateBitmapFinal: GetDIBits failed\r\nCaptureDesktop: CreateCompatibleDC failed\r\nCaptureDesktop: CreateCompatibleBitmap failed\r\nCaptureDesktop: SelectObject failed\r\nCaptureDesktop: BitBlt failed\r\nSpliceImages: CreateCompatibleDC failed\r\nSpliceImages: CreateCompatibleBitmap failed\r\nSpliceImages: SelectObject failed\r\nSpliceImages: BitBlt failed\r\nwild scan\r\nmore \u003c 2\r\n.zip\r\n.zoo\r\n.arc\r\n.lzh\r\n.arj\r\n.tgz\r\nAs a triaging step, this strongly suggests the use of the same compression and screengrabbing libraries. In\r\naddition, there are several other string similarities:\r\nPakistan file:\r\n%s%s\r\n%s\\tmp_%s\r\n[%02d%02d-%02d:%02d:%02d]\r\n[Num %d]\r\n[ENTER]\r\n[EX]\r\nkeycode = %ls keystatus = %d \\n\r\n%s\\tmp_%s_%02d%02d_%02d%02d%02d\r\nPSLogger.exe\r\nhttps://norfolkinfosec.com/a-lazarus-keylogger-pslogger/\r\nPage 3 of 6\n\nVietnam File:\r\n%s\\chromeupdater_pk\r\n%s\\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d\r\n[%02d:%02d:%02d:%03d]\r\n%s%s\r\n[ENTER]\r\n[EX]\r\n[CTL]\r\nPSLogger.dll\r\nWhile some of these are not a 1:1 match, there are some clear similarities regarding the likely functionality of the\r\nfile and the naming conventions. Notably, this “new” file also contains the same exported function name\r\n(“Process”) as the Vietnam DLL despite being an executable, suggesting that it may have been built using the\r\nsame codebase. In addition, the file contains a reference to the same “TMP0389A.tmp” file and path as the\r\nVietnam keylogger (though this is decoded at runtime). The combination of the shared strings, export, libraries\r\n(including XZip), and (as will be explored shortly) functionality strongly suggests that this file is likely\r\nattributable to the same threat actor.\r\nFunctionality\r\nAs mentioned, this file contains a decoding routine responsible for decrypting several strings, including:\r\n“Downloads” – Appended to the user’s Appdata\\Local\\Temp path.\r\n“c:\\windows\\temp\\TMP0389A.tmp” – Intended to contain directory storing keylogs and screenshots.\r\n“c:\\windows\\temp\\tmp1105.tmp” – Unknown purpose\r\nhttps://norfolkinfosec.com/a-lazarus-keylogger-pslogger/\r\nPage 4 of 6\n\nXOR decoding routines for several file paths within the malware\r\nAs with the Vietnam file, this file’s two core functions are screengrabbing (using the same library) and\r\nkeylogging. Both files are stored at “Appdata\\Local\\Temp\\Downloads.” Screenshots are generated as Bitmaps via\r\nCreateCompatibleBitmap, compressed, and saved in this directory as “tmp_[username][mmdd{time}]” (e.g.\r\ntmp_userA_0121_142748″). As additional screenshots are created, they are appended to the same file (although\r\nre-running the malware will create a new file). Kesystrokes (along with process data) are recorded in the same\r\ndirectory, under a file named “tmp_[user]” – unlike the Vietnam file, these keylogs are encrypted prior to storage.\r\nWhile the malware author did take anti-analysis steps (including encoding several filepaths and keystroke logs),\r\nthe malware as a whole remains generally unsophisticated.\r\nClosing Thoughts\r\nNeither variant of the malware is particularly sophisticated; in fact, key components of each rely on clunky\r\nimplementations of open source tools and code (including screengrabbing, compression, and memory injection).\r\nThis deficiency is most evident in the screenshot compression segment, in which new data is simply appended to\r\nan older file. A tool such as 7Zip cannot properly unpack every screenshot appended this way; instead, the\r\nhttps://norfolkinfosec.com/a-lazarus-keylogger-pslogger/\r\nPage 5 of 6\n\nadversary would need to manually carve these out (or write an additional tool to do so) given the fact that\r\nadditional zip data is simply appended to the end of the file.\r\nIt is also worth noting that neither file contains a C2 mechanism, meaning that log files and compressed images\r\nwould have to be extracted from the target device manually. This suggests that these tools are designed for post-compromise use, possibly on machines intended to be monitored for an extended period of time.\r\nSource: https://norfolkinfosec.com/a-lazarus-keylogger-pslogger/\r\nhttps://norfolkinfosec.com/a-lazarus-keylogger-pslogger/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://norfolkinfosec.com/a-lazarus-keylogger-pslogger/"
	],
	"report_names": [
		"a-lazarus-keylogger-pslogger"
	],
	"threat_actors": [],
	"ts_created_at": 1775434920,
	"ts_updated_at": 1775791196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c85164a6d91c911f8e44a7075125661921aaa5e8.pdf",
		"text": "https://archive.orkl.eu/c85164a6d91c911f8e44a7075125661921aaa5e8.txt",
		"img": "https://archive.orkl.eu/c85164a6d91c911f8e44a7075125661921aaa5e8.jpg"
	}
}