MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3014fe96ba09009c9717c930855baf4cfaba24db90ec6f6004daa619d5c07395. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3014fe96ba09009c9717c930855baf4cfaba24db90ec6f6004daa619d5c07395
SHA3-384 hash: ee09542b2be19950337de12a08b276dcfc97ad7825298659a9f868df38c8d2e00956d6bf47181fdc889c20576dfb3a91
SHA1 hash: 8c9b9026b31346ffea0c19c5c7d563b48dd27ca2
MD5 hash: b327740d9d0c50712d16aa7aa40f02a8
humanhash: india-fillet-social-montana
File name:RFQ-INQUIRY#46883-A24.exe
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:1'895'424 bytes
First seen:2025-02-20 10:34:06 UTC
Last seen:2025-02-20 10:36:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:sDCnYFij7OVei5g+YIgxMy32uc9qye441eU4yYSkMmWKH5G/N:sDHF95rg4uc9an49KC5G/N
Threatray 2'115 similar samples on MalwareBazaar
TLSH T13995E187B6485969D2A74F33D4D2BA3047E5DF715F77EF59009008E90A1A383E9E2A33
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon f0ccf0d44cb8c4e0 (1 x SnakeKeylogger, 1 x VIPKeylogger)
Reporter lowmal3
Tags:exe VIPKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
454
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ-INQUIRY#46883-A24.exe
Verdict:
Malicious activity
Analysis date:
2025-02-20 10:37:09 UTC
Tags:
snake keylogger evasion telegram purecrypter netreactor smtp stealer
Link:
https://app.any.run/tasks/b8d2af2e-e809-4b72-8496-5991e0bd1f70

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Msilheracles-10017859-0
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b70659a0fd713c335c0f75
Tags:
autorun snake
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Stealing user critical data
Enabling autorun by creating a file
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed smartassembly
Link:
https://www.filescan.io/uploads/67b7489362765a79bd9f9e40/reports/0f98a913-af6e-4693-a8be-4cf2f29b9a2b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/3014fe96ba09009c9717c930855baf4cfaba24db90ec6f6004daa619d5c07395
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6ba4690c-3d81-42ab-a6d4-28496d6aa5d8
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1619844
Signature
.NET source code contains potential unpacker
Drops VBS files to the startup folder
Found malware configuration
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1619844 Sample: RFQ-INQUIRY#46883-A24.exe Startdate: 20/02/2025 Architecture: WINDOWS Score: 100 23 reallyfreegeoip.org 2->23 25 api.telegram.org 2->25 27 3 other IPs or domains 2->27 35 Suricata IDS alerts for network traffic 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 45 12 other signatures 2->45 7 RFQ-INQUIRY#46883-A24.exe 15 5 2->7         started        12 wscript.exe 1 2->12         started        signatures3 41 Tries to detect the country of the analysis system (by using the IP) 23->41 43 Uses the Telegram API (likely for C&C communication) 25->43 process4 dnsIp5 29 mail.ladangharbalenterprise.com 162.251.80.117, 49807, 49956, 587 PUBLIC-DOMAIN-REGISTRYUS United States 7->29 31 api.telegram.org 149.154.167.220, 443, 49765, 49915 TELEGRAMRU United Kingdom 7->31 33 2 other IPs or domains 7->33 17 C:\Users\user\AppData\...\eplorerers.exe, PE32 7->17 dropped 19 C:\Users\...\eplorerers.exe:Zone.Identifier, ASCII 7->19 dropped 21 C:\Users\user\AppData\...\eplorerers.vbs, ASCII 7->21 dropped 47 Tries to steal Mail credentials (via file / registry access) 7->47 49 Drops VBS files to the startup folder 7->49 51 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->51 53 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->53 14 eplorerers.exe 14 2 12->14         started        file6 signatures7 process8 signatures9 55 Multi AV Scanner detection for dropped file 14->55 57 Tries to steal Mail credentials (via file / registry access) 14->57 59 Tries to harvest and steal browser information (history, passwords, etc) 14->59
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3014fe96ba09009c9717c930855baf4cfaba24db90ec6f6004daa619d5c07395
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3014fe96ba09009c9717c930855baf4cfaba24db90ec6f6004daa619d5c07395/
Threat name:
Win32.Ransomware.Generic
Create hunting rule
Status:
Malicious
First seen:
2025-02-19 16:52:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gakp5fv2beajzfyxzeyikw5pjt5lujg3sdwg6yae3ktbtvoaookq._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
Similar samples:
109c796b316470b61df7a49a0250af8562f130e6365c702ea5559926c1aeacfb
VIPKeylogger
56ed3c8ff15a593278798930ff037de753371486ec40e9cdaa2db0c71748ccf5
VIPKeylogger
657791b7f748b9280b72ae9be5b6d2f4eff25a83379dcb454722ebb5fb866199
VIPKeylogger
6df9221702cc10a9691539fb7314f4f84f27149eeb6ce0e1e2af77158185211a
VIPKeylogger
71ce2bc7ce61c8b100d29f16914ec7cdf9ae3bd0dd1bc1d14a4b38f1fc606581
VIPKeylogger
81902ac66a51c109471bf723cd373ab47a52c992855b9e2dd954090326cac420
VIPKeylogger
956d35ea5fc53269ca00d84d9f765ca6e7bb33e30eb376c54c94eebc4f5b7ef9
VIPKeylogger
c7620ccaf9c2d47ba08cf85e65e55ea974f8887e18d96574a1aa63f09e836451
VIPKeylogger
error
VIPKeylogger
+ 2'105 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery keylogger spyware stealer
Link:
https://tria.ge/reports/250220-ml65lstjdk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Drops startup file
Reads user/profile data of local email clients
Reads user/profile data of web browsers
VIPKeylogger
Vipkeylogger family
Verdict:
Malicious
Tags:
Win.Packed.Msilheracles-10017859-0 404keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/f52788a0-2545-48b3-b678-eb7c9c9d4a19
Unpacked files
SH256 hash:
5fffcd5fc38399055c599a1094f1896112eac17226aa8d68e5583fb1374d8302
MD5 hash:
3d2a2a05318178e414bc6fef55f614dc
SHA1 hash:
4a24b21433a738401f44f3ddc5744825e4185384
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/00e43797-b728-489a-98cd-e09121a4ebc6/
SH256 hash:
9975c9c8532327a0537970066d8b43a82ff566f7aad3967e3516a8f41577b671
MD5 hash:
97fb134b87ea47a772629370b42f36f0
SHA1 hash:
71eb247db7c5a6620fb43eccfd5eef5c0efdb591
Link:
https://www.unpac.me/results/00e43797-b728-489a-98cd-e09121a4ebc6/
SH256 hash:
3014fe96ba09009c9717c930855baf4cfaba24db90ec6f6004daa619d5c07395
MD5 hash:
b327740d9d0c50712d16aa7aa40f02a8
SHA1 hash:
8c9b9026b31346ffea0c19c5c7d563b48dd27ca2
Link:
https://www.unpac.me/results/00e43797-b728-489a-98cd-e09121a4ebc6/
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3014fe96ba09/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

VIPKeylogger

Executable exe 3014fe96ba09009c9717c930855baf4cfaba24db90ec6f6004daa619d5c07395

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments