MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc
SHA3-384 hash: 6ea2fa4c88b8d10817260b511e35b1770f92885532ac4aff9477628b21801a91295541aebeb03fbfb88ffd1a3e42c1e7
SHA1 hash: 7eff62e10421088c83d4c74fd8d4f54e145a6b97
MD5 hash: f6118d60f7bf36f088b6b7a2c27624fb
humanhash: sierra-louisiana-fillet-violet
File name:FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:1'905'664 bytes
First seen:2025-02-18 06:46:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f72f014a8f96ef95753b4961e95532a3 (3 x RemcosRAT, 2 x DarkCloud, 1 x DBatLoader)
ssdeep 49152:CWFuLZoC0CGIAOzi6UDCTDi6RTqOLSTb:CWFuLaQ7L8iDPMOLGb
Threatray 15 similar samples on MalwareBazaar
TLSH T1F595BE31E64000F2F362363D7A5797DA489D7E223B17686A2FF43E886E79647F834152
TrID 89.1% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
7.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
1.4% (.EXE) Win64 Executable (generic) (10522/11/4)
0.6% (.EXE) Win32 Executable (generic) (4504/4/1)
0.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
File icon (PE):PE icon
dhash icon 2836b28e8e92e465 (3 x DBatLoader, 2 x DarkCloud, 2 x VIPKeylogger)
Reporter abuse_ch
Tags:exe FedEx VIPKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
444
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ziraat_Bankasi_Swift_Messaji.cmd
Verdict:
Suspicious activity
Analysis date:
2025-02-17 22:35:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dd804e23-fd43-4ed0-89da-c7f8c41801c7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Sinowal-9756760-0
Create hunting rule

Win.Trojan.Modiloader-10042434-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b42de728ab76d43a5b9622
Tags:
emotet virus shell blic
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Setting a global event handler for the keyboard
Forced shutdown of a browser
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context borland_delphi explorer fingerprint keylogger lolbin masquerade obfuscated packed redcap
Link:
https://www.filescan.io/uploads/67b42cee633d733362897797/reports/d9fef913-56ba-4d53-91e0-19861a2a0282/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41cbf4e8-2d37-493a-a654-200f45588df1
Result
Threat name:
DBatLoader, Snake Keylogger, VIP Keylogg
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1617727
Signature
.NET source code contains potential unpacker
Allocates many large memory junks
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Found malware configuration
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1617727 Sample: FEDEX_SHIPPING_DOCUMENTS_MU... Startdate: 18/02/2025 Architecture: WINDOWS Score: 100 54 reallyfreegeoip.org 2->54 56 api.telegram.org 2->56 58 2 other IPs or domains 2->58 68 Suricata IDS alerts for network traffic 2->68 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 78 14 other signatures 2->78 8 FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exe 1 8 2->8         started        12 Mxhvdwzh.PIF 2->12         started        14 Mxhvdwzh.PIF 2->14         started        signatures3 74 Tries to detect the country of the analysis system (by using the IP) 54->74 76 Uses the Telegram API (likely for C&C communication) 56->76 process4 file5 38 C:\Windows \SysWOW64\svchost.pif, PE32+ 8->38 dropped 40 C:\Windows \SysWOW6440ETUTILS.dll, PE32+ 8->40 dropped 42 C:\Users\Public\Libraries\hzwdvhxM.pif, PE32 8->42 dropped 44 2 other malicious files 8->44 dropped 80 Drops PE files with a suspicious file extension 8->80 82 Writes to foreign memory regions 8->82 84 Allocates memory in foreign processes 8->84 86 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->86 16 hzwdvhxM.pif 15 2 8->16         started        20 cmd.exe 1 8->20         started        22 cmd.exe 3 8->22         started        88 Multi AV Scanner detection for dropped file 12->88 90 Sample uses process hollowing technique 12->90 92 Allocates many large memory junks 12->92 24 hzwdvhxM.pif 12->24         started        26 hzwdvhxM.pif 14->26         started        signatures6 process7 dnsIp8 48 checkip.dyndns.com 132.226.8.169, 49706, 49709, 49711 UTMEMUS United States 16->48 50 api.telegram.org 149.154.167.220, 443, 49727, 49752 TELEGRAMRU United Kingdom 16->50 52 reallyfreegeoip.org 104.21.32.1, 443, 49707, 49708 CLOUDFLARENETUS United States 16->52 60 Detected unpacking (changes PE section rights) 16->60 62 Detected unpacking (overwrites its own PE header) 16->62 64 Tries to steal Mail credentials (via file / registry access) 16->64 28 extrac32.exe 1 20->28         started        32 conhost.exe 20->32         started        34 ndpha.pif 20->34         started        36 conhost.exe 22->36         started        66 Tries to harvest and steal browser information (history, passwords, etc) 26->66 signatures9 process10 file11 46 C:\Users\Public\ndpha.pif, PE32 28->46 dropped 94 Drops PE files to the user root directory 28->94 96 Drops PE files with a suspicious file extension 28->96 signatures12
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc/
Threat name:
Win32.Exploit.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2025-02-17 01:38:31 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aae2loy3wfkcyntdxreek63tsheublmcqtmstfx2ricy7rfvvdga._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
vipkeylogger
Create hunting rule
Similar samples:
113b0682050e0eae6a815e77389a637c64673ed582477ba34f966683bee79cee
VIPKeylogger
1b934dccc814a0d5248fa34256f192fc6e97bd322e23876bc5c751a11d0b1ed0
VIPKeylogger
3f7d4827bfbe25072981dbe089ca358e317f42218d654cf31486cdf9598c16be
VIPKeylogger
820a12d9d465245b47965d8d82101411b57fdb064e89322a84bf9a0f5599254f
VIPKeylogger
a8ad0cb7c6c4d332bc50ca8af649af8877555a79e0d4d1df3cad1ea68acd26fb
VIPKeylogger
b53b26656933d4ccf3c6665d5ca45ea9e9db1463bd96aa1c0a372b658db23574
VIPKeylogger
error
VIPKeylogger
f72ebfe6f11291393acec156f0f73b1eb5abf74761d5de8dd7b55839542c56af
VIPKeylogger
+ 5 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:vipkeylogger collection discovery keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/250218-hj9qhazkt7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
VIPKeylogger
Vipkeylogger family
Verdict:
Malicious
Tags:
Win.Trojan.Sinowal-9756760-0 404keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/cac09b39-f4ff-4e03-bd9f-dedb632f0c00
Unpacked files
SH256 hash:
0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc
MD5 hash:
f6118d60f7bf36f088b6b7a2c27624fb
SHA1 hash:
7eff62e10421088c83d4c74fd8d4f54e145a6b97
Link:
https://www.unpac.me/results/6d6c3f59-d382-47e4-9c45-90ba2eb20311/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0009a5bb1bb1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.72
Link:
https://yomi.yoroi.company/submissions/0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipDeleteGraphics
gdiplus.dll::GdipAlloc
gdiplus.dll::GdipCreateFromHDC
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WinExec
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetFileAttributesA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegCreateKeyExA
advapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
advapi32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::AppendMenuA
user32.dll::CreateMenu
user32.dll::EmptyClipboard
user32.dll::FindWindowA
user32.dll::OpenClipboard

Comments