MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 227a47ab69a3e27af957a15c776726f2ba7983cc02dd6031d8c057ec3f915c9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

VIPKeylogger

Vendor detections: 17

Intelligence 17 IOCs YARA 7 File information Comments

SHA256 hash:	227a47ab69a3e27af957a15c776726f2ba7983cc02dd6031d8c057ec3f915c9a
SHA3-384 hash:	e5adb9ec9db2bc309456ee74fb79759878cabcf633f46921627d91f10aafc06291f3a8f273bea55f3221aa949da8a1db
SHA1 hash:	4414642ab2f92b536d59a05d4ddfa838fdf3a9b5
MD5 hash:	ca2a4c48977c3b639e3aa420745432fb
humanhash:	undress-nebraska-alanine-snake
File name:	Hesap_Hareketleri_09122024_html.exe
Download:	download sample
Signature	VIPKeylogger Create hunting rule
File size:	793'600 bytes
First seen:	2024-12-09 05:43:33 UTC
Last seen:	2025-01-10 14:37:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:PNl4dY9shQgZbGen4mrXc541rjRIIBbg3EuTFd5doUQuGAhR1KuIeyxqSp+:Idhl5x3Q21pIL3EuBdAUbG82mSp
Threatray	196 similar samples on MalwareBazaar
TLSH	T1B0F401A4BB5DD513C99416344FB1F2B9166C9E9DF912D203AED8BFAF7C72A141C08283
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
File icon (PE):
dhash icon	30d4f068e9b0d430 (7 x Formbook, 5 x AgentTesla, 2 x VIPKeylogger)
Reporter	abuse_ch
Tags:	exe geo TUR VIPKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

387

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Hesap_Hareketleri_09122024_html.exe

Verdict:

Malicious activity

Analysis date:

2024-12-09 05:44:07 UTC

Tags:

evasion snake keylogger telegram stealer

Link:

https://app.any.run/tasks/26789f20-2848-4ea4-abbb-1242488ac6f7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.CrypterX-gen.30933.14225.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=675683a4fca9c44c2497a59e

Tags:

micro shell msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Adding an exclusion to Microsoft Defender

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/675683a2be1ef5b25ae071fc/reports/ce1f977b-4c9a-453a-acbc-255dc4f34e53/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/227a47ab69a3e27af957a15c776726f2ba7983cc02dd6031d8c057ec3f915c9a

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/926674b3-5169-47e3-bf78-0bbe764685d4

Result

Threat name:

Snake Keylogger, VIP Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1571189

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

AI detected suspicious sample

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Scheduled temp file as task from temp location

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/227a47ab69a3e27af957a15c776726f2ba7983cc02dd6031d8c057ec3f915c9a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/227a47ab69a3e27af957a15c776726f2ba7983cc02dd6031d8c057ec3f915c9a/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2024-12-09 04:55:36 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ej5epk3juprhv6kxufohozzg6k5hta6malowamoyybl6yp4rlsna._file

Verdict:

malicious

Label(s):

vipkeylogger

unknown_loader_037

VIPKeylogger

326d05c29c46e6ca7f2f1a9b534d8a2ffb98a13f74f8f26fff2057ad1f8e0ca8

VIPKeylogger

5ceb866b71b67cd11b3453f48459f358770331beef591d9d21d8023c390782e6

VIPKeylogger

d954045a10b2292df4e754ad6f1c5350c82ce0a75d2cd9275ada797eca2c413f

VIPKeylogger

error

VIPKeylogger

+ 186 additional samples on MalwareBazaar

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery execution keylogger spyware stealer

Link:

https://tria.ge/reports/241209-ge6bvavnfl/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

VIPKeylogger

Vipkeylogger family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/aa2bb42a-c7a0-4cf7-835f-142c3e1aa3b8

Unpacked files

SH256 hash:

2fef79874cf9f038ce2e6892c03dea1cc23f39a1cebe6500beac276e0d00494b

MD5 hash:

77f472c207ec2cc123c04633607a4e61

SHA1 hash:

7b905cd11273520effaaf18642dce6f92e933b61

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/581c7c78-4dec-4da6-9990-2071751db54f/

Parent samples :

227a47ab69a3e27af957a15c776726f2ba7983cc02dd6031d8c057ec3f915c9a
0ecf60ff337dc16beed8a7faff49d2992ef4fe0f4c76ffc07457a011b382da90
123afb912a466e9b9df29889e95595a3a38d8494d5a284a174ec44c243ea311d
015bd9fdf0c4d73684a6b6349fbdda67ba243e0f78923e1d9b4f535b5832b04a
8c9ecbc59525eb2696bc09eef4a3e15df74be78bf378594fb204349bc949edab
cefa40083339d42320bc1f9ba33c578b8abe47e15eb0dd6b0ba2f734aa8f3d6d
7de234e703b36c03b4952a55b0b00112d2bac77b5106225bf28d4fbb7154e049
d30d43ea8f103340a2307145035f404873d3d345f310dbeba6fa20f85d3fb790
bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149
ec0c57ee02c554f4d9120e583ae49741d7699f6e893434c6de082fd7cf504b17
9b1796dd7887612da304445be63506b9677ba72c84f727d74ca5cabc5771d675
264363a6ad5f6720663cd201f8037f0c6f3bfda8216bb8f975e7df9fd9c699b9
8f382b44be98d01413be1f9dc3221e6565e35d73fe41a94f9727b9ce4c71d6c9
50087b010b52ec07a7f52a85b56dc43041aae17b428e6b0af3d52d797d427682
5ca92658980b5d1f46f53d78202bd40e442163622e2edb5220046f74e5748945
cd676542bbeac4ff5dea88783c4e93b89971bdf60eaa04128f1d36078a4c2ad4
7bc91b9cdac45afdf50b3d0172e853c20d2040ceeca205bf2fbce469e12bfa88
50b149ecd824e894ea0702c35f1c693cf8a44a664ae3895b97330b8e5d7de21c
50e5353cf814e1f75d7c18a99c897670905b7e119d5d02cb532e0466819d68ba
7a31e73a61251309c51a343c14af5149915110c0f818747f7de78344739f21c5
120a2be02a522354992cb67454631495bc3116385e14cc77448444cb5176178f
27a97b69d2d9ea5dfcbf049ecd2796b25027cbe5c827da030cbf0ce1aeba5e35
4d968bf8e1e18956b459f9fce7e574cdee06e48559bc107ef42cec7777d58991
51717d0028159660daf45caf1db519581acda095d1fd2e49380abaa09c208e72
6bf4d235aec53cebe445d895500e0b9f15a9a245a078bbd49a65373371227f70
325c502174ac471c5b880cc4672193ca5ee66c94b22dad9831fd415853c7023b
752b6b1cff0314248ea1dc2f2ee4a3c8fdf9ed49da3dee49cb128a0e7ef98bc9
647c7306c455afa936e4e7b24cf8b676c9bde8e824089e397347ace6e3de793a
1b242c3226a5109e972f7cc2c64385f8f1fe128c67ebaa2f676dff4a18ba2dda
1d409e94b935c68a4b4841a1b2e05c6abf1ea827c419eab8bf3ee23229574160
b71fb82589e3532a9390352bc87f7c2edc2cd7fae723fe203500350a31559e17
4c839863452a16a4d99b13065cf93b09547d04b86ba649a8b40976122ff67a74
2a8afcd73b04e7a6285d428d348753b5d4e91e8e0c62ec44a1e54f678923dc0c
d025bba170b25ae8d8fa113ff1c1ec0280f56ffc742ebaddeba285af3f704256
db1d735638bab763d8e3fcab6055873556fa4f7b9437f99cd594400839c077c5
72d3358ea74f770930e44d382a00387f1451399ef01a513d11ef80ba2f9da653
f2675f59a65add81d32683e6ec1a2aec2c37547df4ef331c21b5f498ccee7897
e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953
2e0e7afdab8ca0ee49b2e3df7d9c8c3ff3f38d615fa114bd9dd06b8705842d5b
3240d336a0955bb3bcaac9f177a7dfa3c6a06e302c37fcc1c83d26ed8c283160
e0e53651961939af9ea23e40529bec8418f5915d4a7faa23184adc4febb81b92
580d408a0d3f6bca3bf2ee5ed847e4eefb32eedf4941870109b78674d60da7e0

SH256 hash:

2859b8700fc6111c40b806d114c43e2e3b4faa536eeab57d604818562905b911

MD5 hash:

7b08debe8d794823e28821fa8f4a0750

SHA1 hash:

5b49ba8c87cd7be7e11950094594e3794a16a79c

Detections:

win_masslogger_w0

win_404keylogger_g1

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Link:

https://www.unpac.me/results/581c7c78-4dec-4da6-9990-2071751db54f/

Parent samples :

ec28ac8724bf2fa9d174bb0f20b018cc34ad87d0437cc7c765c559aea1a68105
dda809f369a6369d2d26e75ff6cf321d2fe052f3eb0074f227065906bb2af531
d2e02002409982274c26172e7360d2c5114b70035fff2f3d6ba263dc110f3049
e8f166c0f410ff3da2382987aeb59a652c3c042d85b0ca92b71e5bba2629e3c1
227a47ab69a3e27af957a15c776726f2ba7983cc02dd6031d8c057ec3f915c9a
0b0e33a49e209932b6fa85be230050e28ed46e35129a3b4b0b6f782ac4849f21
50087b010b52ec07a7f52a85b56dc43041aae17b428e6b0af3d52d797d427682
fe1ea0347bf6d718b99d5f38c272ee7c44099185319df916ff44ff8ae1e139c3
1349316e7a40b141bed9b55a8271d86434e168ff6efd248c1fa5af4e05c1c248
8b0966ac0b9d10efd2de59fd1f3949c0c5fd24a293193396022d949cecb8ef7d
f8dbe5f1422710a57a7cbce1bedcfaab71b4c2442fe1db24775c397add8d3184
800f9ec3e0b17084a4479e88fcc9089418ebd621531d1aee2eefbed5622a69b4
0cb819d32cb3a2f218c5a17c02bb8c06935e926ebacf1e40a746b01e960c68e4
147d14c2f5e822d2e0419c301096bf2c55bdf4831ca09743c2177269452cd112
97d2ac9df49a698cbe55f68068a93604206580f9696c8bf319d55c2e637c9727
cf8609a0bf3ca9ed3e5e39abab534229213e4df0316cd0478032cf59e0f2f3dd
570c0fbf80fba23ae65c80ceede951848ce522b9a767fae92812d4d3efb725cf
fcb20640b912b0513c2c1e7b5dfdca2f42a23e11aecbf0a82c4da76f8aed568e
39d75551da5fe22de373ed7ac38f66be936fbf93a9124e5f519f49a241aed84d
f944ca1d7c21680cbe1f62c78655862863170c51861ea0d930e7ed9b22ebc7b2
af991ddeba10d3b5f7d23603c840755386967bcb17175e3ff91dd52da78375b4
b9581e9af28f052e463acd6117271db974830bba5a7ba5825068596947e872bd
a0ff35101d202ae3367837980c58ebbc2238ddbed52a614b73fee68bccdb7ad1

SH256 hash:

aba08534c5c2b89a83da3a0273f28647d5903007a68592f3940e7ac5205bc483

MD5 hash:

7e9a3e03b063f2ef4bf516efc594bfb7

SHA1 hash:

454d9b81f4feefc9c89a388281b418007e09b998

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/581c7c78-4dec-4da6-9990-2071751db54f/

SH256 hash:

227a47ab69a3e27af957a15c776726f2ba7983cc02dd6031d8c057ec3f915c9a

MD5 hash:

ca2a4c48977c3b639e3aa420745432fb

SHA1 hash:

4414642ab2f92b536d59a05d4ddfa838fdf3a9b5

Link:

https://www.unpac.me/results/581c7c78-4dec-4da6-9990-2071751db54f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/227a47ab69a3e27af957a15c776726f2ba7983cc02dd6031d8c057ec3f915c9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RansomPyShield_Antiransomware Create hunting rule
Author:	XiAnzheng
Description:	Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample