MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0991a28ed2869bfa2df4be72aa190422a5c26bac19e77d79fd1bfe6d01fdcc79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0991a28ed2869bfa2df4be72aa190422a5c26bac19e77d79fd1bfe6d01fdcc79
SHA3-384 hash: 5876996b486ec1c4576fbf0bcc1d183192aafe3c91ae97265f33e15f8ef6bf41c015f2bbf9acf8b25f0077f151fef8eb
SHA1 hash: 3d3098fc6a6e06c86d20e1b9eee432202177745e
MD5 hash: 7d73ace28a1cfd5fdc5febc65bc690e5
humanhash: maine-magnesium-harry-eighteen
File name:keylogger.dll
Download: download sample
File size:37'888 bytes
First seen:2022-04-14 20:03:21 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 61 x CobaltStrike, 44 x JanelaRAT)
ssdeep 768:okWmTX2VX4WJOSKEJbCTlAUWLSTQkrVHaOtatFUwUmC7NTILL5hU:i+XQoCbCTlbWzu5IWwUmC7+H5u
Threatray 8 similar samples on MalwareBazaar
TLSH T1F403BF1CB7ED4763C9F927372F73036803B4D349BA83E7C28B8D419AB55776A4A21618
TrID 89.5% (.DLL) Generic .NET DLL/Assembly (236632/4/32)
3.9% (.EXE) Win64 Executable (generic) (10523/12/4)
2.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.7% (.EXE) Win32 Executable (generic) (4505/5/1)
0.7% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter adm1n_usa32
Tags:dll keylogger ursu

Intelligence

File Origin
# of uploads :
1
# of downloads :
477
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263862/
Detection(s):
SecuriteInfo.com.Variant.Ursu.468891.20890.29567.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware keylogger obfuscated packed wacatac
Link:
https://www.filescan.io/uploads/62587e47482f2f41cab02ee0/reports/1a6de805-fc9c-4d59-8317-033d9a10cd58/overview
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/59eac617-4301-4004-88ab-f0da21aa2716
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/977164
Signature
Contains functionality to log keystrokes (.Net Source)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 609652 Sample: keylogger.dll Startdate: 14/04/2022 Architecture: WINDOWS Score: 60 13 Multi AV Scanner detection for submitted file 2->13 15 Sigma detected: Suspicious Call by Ordinal 2->15 17 Contains functionality to log keystrokes (.Net Source) 2->17 19 Yara detected Costura Assembly Loader 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 rundll32.exe 9->11         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0991a28ed2869bfa2df4be72aa190422a5c26bac19e77d79fd1bfe6d01fdcc79/
Threat name:
Win32.Trojan.Ursu
Create hunting rule
Status:
Malicious
First seen:
2022-04-10 01:36:02 UTC
File Type:
PE (.Net Dll)
AV detection:
17 of 42 (40.48%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0bd7846422b31c85b3828c45257233f0264c2867690fe884be749d0c776858c2
5fc59b8ec20cad5e14e06a973aee16bec744c13a212e6ff4f6ec09b91189636e
60caca1cab87648fee39b9200be14e2b7130772418001a077fce9bbd0d5547e6
6eb4de0ca982734616f0264fd714978c638752b94e58286a702af4a8bf926fcc
876440874478dd5882b46a6dfe15073bf61a5f3bdcaad32a6f14ab651f7a5f6b
bada7e61229d4c6bba936e8b163034b3421680c1f4ebbc69160fc96fc5bdb8ca
dad06241920a1520de401b3d3c1edcb21c60c9969c1ff3de4b56586588f15e91
e53df7dc27eb1cc6f3b1dce5f721c57d46aa57e575acbed263f59f8c76216c8a
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220414-ys8skadfhq/
Unpacked files
SH256 hash:
0991a28ed2869bfa2df4be72aa190422a5c26bac19e77d79fd1bfe6d01fdcc79
MD5 hash:
7d73ace28a1cfd5fdc5febc65bc690e5
SHA1 hash:
3d3098fc6a6e06c86d20e1b9eee432202177745e
Link:
https://www.unpac.me/results/1d575b31-fe64-40b3-bc90-525cb70c95c8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0991a28ed2869bfa2df4be72aa190422a5c26bac19e77d79fd1bfe6d01fdcc79

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/263862/

Comments