MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a3d3d6ee6c705eb5cd66407edf6a27004dcdc8723994e0424f72eb0fa92c321. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a3d3d6ee6c705eb5cd66407edf6a27004dcdc8723994e0424f72eb0fa92c321
SHA3-384 hash: fbbb9affbda8c5e7ccef7f2ed8c703bfa16128dbf8f1fbd46b57a8380aab0bd33317c3c725689e4e2fa243853fc85d24
SHA1 hash: 8a81db864d3ae60dbc267734328f444b8ee6864a
MD5 hash: 561132fd4e322f2bff9d12ec9dc818cd
humanhash: nine-cardinal-kitten-sink
File name:20250301_173245__P20250301_173245__P.exe
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:1'016'340 bytes
First seen:2025-03-05 08:56:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 98f67c550a7da65513e63ffd998f6b2e (60 x Worm.Mofksys, 21 x SnakeKeylogger, 13 x MassLogger)
ssdeep 12288:GENN+T5xYrllrU7QY67/ftpm+gvyeN30tupm7m5JzwXofJz/BK2FVjTlXuXReUvu:K5xolYQY6yJ30NyPz02FJT9eu
TLSH T1E325D02A7A00A02BC9D386F14872F67476282EA96F41DD0B17D49F977971A23B5F430F
TrID 38.2% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
34.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
14.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.9% (.EXE) Win64 Executable (generic) (10522/11/4)
2.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon 000040ccc4c00040 (1 x VIPKeylogger)
Reporter threatcat_ch
Tags:exe VIPKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
547
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
20250301_173245__P20250301_173245__P.exe
Verdict:
Malicious activity
Analysis date:
2025-03-05 09:47:41 UTC
Tags:
evasion snake keylogger telegram smtp stealer
Link:
https://app.any.run/tasks/1e9fad75-15b8-49b3-a4d6-4a0143fa85d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Win.Malware.Swisyn-7610494-0
Create hunting rule

Win.Virus.Sality-6335700-2
Create hunting rule

Win.Malware.Swisyn-9942393-0
Create hunting rule

Win.Trojan.VBGeneric-6735885-0
Create hunting rule

Win.Virus.Sality-6747602-0
Create hunting rule

Win.Malware.Swisyn-6803865-0
Create hunting rule

Win.Trojan.Kazy-304
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67c81423c8d04e92a4bf0928
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Setting a keyboard event handler
Setting a global event handler
Creating a file in the %AppData% directory
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Unauthorized injection to a recently created process
Setting a single autorun event
Launching the process to create tasks for the scheduler
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun
Enabling a "Do not show hidden files" option
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
explorer lolbin obfuscated overlay packed packed packer_detected visual_basic
Link:
https://www.filescan.io/uploads/67c811f1f8726576332d35ba/reports/d87caf99-58b7-4c78-9bbf-28b46a6262ab/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3a3d3d6ee6c705eb5cd66407edf6a27004dcdc8723994e0424f72eb0fa92c321
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MOFKSYS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e886b56b-55fb-4c8d-880c-4035bca6cb59
Result
Threat name:
CryptOne, Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1629925
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Interactive AT Job
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1629925 Sample: 20250301_173245__P20250301_... Startdate: 05/03/2025 Architecture: WINDOWS Score: 100 125 reallyfreegeoip.org 2->125 127 api.telegram.org 2->127 129 10 other IPs or domains 2->129 133 Suricata IDS alerts for network traffic 2->133 135 Found malware configuration 2->135 137 Malicious sample detected (through community Yara rule) 2->137 143 19 other signatures 2->143 12 20250301_173245__P20250301_173245__P.exe 1 4 2->12         started        16 dUENcAj.exe 2->16         started        18 explorer.exe 2->18         started        20 svchost.exe 1 1 2->20         started        signatures3 139 Tries to detect the country of the analysis system (by using the IP) 125->139 141 Uses the Telegram API (likely for C&C communication) 127->141 process4 dnsIp5 107 20250301_173245__p20250301_173245__p.exe, PE32 12->107 dropped 109 C:\Users\user\AppData\Local\icsys.icn.exe, PE32 12->109 dropped 191 Installs a global keyboard hook 12->191 23 icsys.icn.exe 4 12->23         started        27 20250301_173245__p20250301_173245__p.exe 7 12->27         started        111 C:\Users\user\AppData\Roaming\duencaj.exe, PE32 16->111 dropped 193 Antivirus detection for dropped file 16->193 195 Multi AV Scanner detection for dropped file 16->195 29 duencaj.exe 16->29         started        31 icsys.icn.exe 16->31         started        131 127.0.0.1 unknown unknown 20->131 file6 signatures7 process8 file9 99 C:\Windows\System\explorer.exe, PE32 23->99 dropped 179 Antivirus detection for dropped file 23->179 181 Drops PE files with benign system names 23->181 183 Installs a global keyboard hook 23->183 33 explorer.exe 3 53 23->33         started        101 C:\Users\user\AppData\Roaming\dUENcAj.exe, PE32 27->101 dropped 103 C:\Users\user\...\dUENcAj.exe:Zone.Identifier, ASCII 27->103 dropped 105 C:\Users\user\AppData\Local\...\tmpFEE9.tmp, XML 27->105 dropped 185 Adds a directory exclusion to Windows Defender 27->185 187 Injects a PE file into a foreign processes 27->187 38 20250301_173245__p20250301_173245__p.exe 27->38         started        40 powershell.exe 27->40         started        42 powershell.exe 27->42         started        44 schtasks.exe 27->44         started        46 duencaj.exe 29->46         started        48 schtasks.exe 29->48         started        50 duencaj.exe 29->50         started        189 Drops executables to the windows directory (C:\Windows) and starts them 31->189 52 explorer.exe 31->52         started        signatures10 process11 dnsIp12 113 vccmd01.zxq.net 51.81.194.202, 443, 49750, 49753 OVHFR United States 33->113 115 googlecode.l.googleusercontent.com 64.233.167.82, 49735, 49742, 49767 GOOGLEUS United States 33->115 117 66.102.1.82, 49737, 49772, 49788 GOOGLEUS United States 33->117 91 C:\Windows\System\spoolsv.exe, PE32 33->91 dropped 93 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 33->93 dropped 145 Antivirus detection for dropped file 33->145 147 System process connects to network (likely due to code injection or exploit) 33->147 149 Creates an undocumented autostart registry key 33->149 151 Drops PE files with benign system names 33->151 54 spoolsv.exe 3 33->54         started        119 mail.javedan-battery.com 162.215.121.116, 49786, 49789, 587 UNIFIEDLAYER-AS-1US United States 38->119 121 api.telegram.org 149.154.167.220, 443, 49774, 49783 TELEGRAMRU United Kingdom 38->121 123 2 other IPs or domains 38->123 153 Loading BitLocker PowerShell Module 40->153 58 conhost.exe 40->58         started        60 conhost.exe 42->60         started        62 conhost.exe 44->62         started        155 Tries to steal Mail credentials (via file / registry access) 46->155 157 Tries to harvest and steal browser information (history, passwords, etc) 46->157 64 conhost.exe 48->64         started        159 Installs a global keyboard hook 52->159 file13 signatures14 process15 file16 97 C:\Windows\System\svchost.exe, PE32 54->97 dropped 171 Antivirus detection for dropped file 54->171 173 Drops executables to the windows directory (C:\Windows) and starts them 54->173 175 Drops PE files with benign system names 54->175 177 Installs a global keyboard hook 54->177 66 svchost.exe 54->66         started        signatures17 process18 file19 95 C:\Users\user\AppData\Local\stsys.exe, PE32 66->95 dropped 161 Detected CryptOne packer 66->161 163 Creates an undocumented autostart registry key 66->163 165 Drops executables to the windows directory (C:\Windows) and starts them 66->165 167 2 other signatures 66->167 70 spoolsv.exe 66->70         started        73 at.exe 66->73         started        75 at.exe 66->75         started        77 18 other processes 66->77 signatures20 process21 signatures22 169 Installs a global keyboard hook 70->169 79 conhost.exe 73->79         started        81 conhost.exe 75->81         started        83 conhost.exe 77->83         started        85 conhost.exe 77->85         started        87 conhost.exe 77->87         started        89 15 other processes 77->89 process23
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3a3d3d6ee6c705eb5cd66407edf6a27004dcdc8723994e0424f72eb0fa92c321
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a3d3d6ee6c705eb5cd66407edf6a27004dcdc8723994e0424f72eb0fa92c321/
Threat name:
Win32.Trojan.Golsys
Create hunting rule
Status:
Malicious
First seen:
2025-03-05 05:19:52 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hi6t23xgy4c6wxgwmqd635vcoacnzxeheomu4bbe64xlb6usymqq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
mofksys
Create hunting rule
Similar samples:
error
VIPKeylogger
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection defense_evasion discovery execution keylogger persistence spyware stealer
Link:
https://tria.ge/reports/250305-kwpl7svlt9/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Boot or Logon Autostart Execution: Active Setup
Command and Scripting Interpreter: PowerShell
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
VIPKeylogger
Vipkeylogger family
Verdict:
Malicious
Tags:
trojan Win.Malware.Swisyn-7610494-0 404keylogger
YARA:
Windows_Generic_Threat_2bb7fbe3
Link:
https://app.threat.zone/submission/ac76f74e-22e0-4c21-a0f8-f0d0d2ef75cb
Unpacked files
SH256 hash:
3a3d3d6ee6c705eb5cd66407edf6a27004dcdc8723994e0424f72eb0fa92c321
MD5 hash:
561132fd4e322f2bff9d12ec9dc818cd
SHA1 hash:
8a81db864d3ae60dbc267734328f444b8ee6864a
Link:
https://www.unpac.me/results/7a8e3fc0-3872-4495-b070-412b136678ed/
SH256 hash:
03712afe10978fed7a3f3a6f158c2d4ef016248ca5693de54404023e44596eac
MD5 hash:
1503edcf019e30f945c81a7f1d5850b7
SHA1 hash:
4119dabb339e388c2062b55db84f0a2516dfca1b
Link:
https://www.unpac.me/results/7a8e3fc0-3872-4495-b070-412b136678ed/
SH256 hash:
fc514313ff29e17391a286039a0c256238e2a73d635b15f0999a1525e35773c5
MD5 hash:
50ef14f71f6e045d1e1772be50c0dda5
SHA1 hash:
20c99478852f9c442cac3b37594a460685240a43
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/7a8e3fc0-3872-4495-b070-412b136678ed/
SH256 hash:
6c56fbd5481ff333331d10bf80a44ec957ec91ec5ea34af2f2b949d78d510ee9
MD5 hash:
4c76cb72a2f64f1c5523d19cbcfb9b62
SHA1 hash:
7f68a6f7f33bdf51a7e916914cd47ce3c7628472
Link:
https://www.unpac.me/results/7a8e3fc0-3872-4495-b070-412b136678ed/
SH256 hash:
2287c383aae524d8a8007ed2de2aecbd1224cc18e641a3c0255254f52bc71e3c
MD5 hash:
276eef978e6cc5eb754b6aba32add9cf
SHA1 hash:
d01760fc130c50c9bb6627f3b30a654754b7ca99
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/7a8e3fc0-3872-4495-b070-412b136678ed/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3a3d3d6ee6c7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a3d3d6ee6c705eb5cd66407edf6a27004dcdc8723994e0424f72eb0fa92c321

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_Imphash_Mar23_2
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_2bb7fbe3
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

VIPKeylogger

Executable exe 3a3d3d6ee6c705eb5cd66407edf6a27004dcdc8723994e0424f72eb0fa92c321

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaCopyBytes
MSVBVM60.DLL::__vbaSetSystemError
MSVBVM60.DLL::__vbaExitProc
MSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaFileOpen

Comments