MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7004285faaa3caabec19f6382f86f380da6fbe1eb5d624a7bc2a9e999a5ba79d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


vkeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7004285faaa3caabec19f6382f86f380da6fbe1eb5d624a7bc2a9e999a5ba79d
SHA3-384 hash: 68bb76b76380fc023ccbc809fedd92b8e1c1d49c3427d16910a2186f3d6bedb3a6aed4afc49556fc6b9ec167f82d22c2
SHA1 hash: cd28198ef48a50b3d14dc8eb5d37f505b2c85c33
MD5 hash: 9e559c854f7b4c66ffbe7702e8f49cd0
humanhash: johnny-triple-william-jig
File name:9e559c854f7b4c66ffbe7702e8f49cd0.exe
Download: download sample
Signature vkeylogger
Create hunting rule
File size:158'208 bytes
First seen:2021-09-09 07:23:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c667e2db61fc5d3b6783de3a152ec2e5 (2 x ArkeiStealer, 1 x RaccoonStealer, 1 x vkeylogger)
ssdeep 1536:R0pgLhTm/R1rLQPBE2sibwV/PiOda7Y3UKzvau+OuJrZnZewEjjJ8LmoGQSL8RrO:2RJFwaVIBKzv4O6B6jAmoGQSL+rn5eT
Threatray 13 similar samples on MalwareBazaar
TLSH T146F3AE2135E1C072CA86653C48E0CAF16A79BD31D674CA8B7B98167E6F703D48B3E356
dhash icon 1072c093b0381906 (22 x RedLineStealer, 22 x RaccoonStealer, 20 x Stop)
Reporter abuse_ch
Tags:exe VKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://crackedera.com/adobe-premiere-serial-key/
Verdict:
Malicious activity
Analysis date:
2021-09-09 06:25:53 UTC
Tags:
trojan evasion stealer vidar loader rat redline
Link:
https://app.any.run/tasks/40c5b67a-04d6-4ad7-8165-134a3e3f48ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186533/
Detection(s):
Win.Malware.Fragtor-9891492-0
Create hunting rule

Win.Malware.Fragtor-9891537-0
Create hunting rule

Win.Packed.Generic-9891538-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request to an infection source
Creating a file in the %temp% directory
Creating a process from a recently created file
Reading critical registry keys
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Unauthorized injection to a recently created process
Stealing user critical data
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c5428d2c-1694-467a-a95e-d64182b698d8
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/847895
Signature
Contains functionality to register a low level keyboard hook
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found C&C like URL pattern
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Encoded FromBase64String
Sigma detected: FromBase64String Command Line
Sigma detected: Mshta JavaScript Execution
Sigma detected: MSHTA Spawning Windows Shell
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 480322 Sample: dxcbs4GN4T.exe Startdate: 09/09/2021 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Sigma detected: Encoded FromBase64String 2->49 51 6 other signatures 2->51 10 dxcbs4GN4T.exe 2->10         started        process3 signatures4 59 Detected unpacking (changes PE section rights) 10->59 61 Maps a DLL or memory area into another process 10->61 13 explorer.exe 4 12 10->13         started        process5 dnsIp6 41 37.49.230.185, 49746, 80 ESTROWEBNL Estonia 13->41 43 github.com 140.82.121.4, 443, 49747 GITHUBUS United States 13->43 65 System process connects to network (likely due to code injection or exploit) 13->65 67 Creates autostart registry keys with suspicious values (likely registry only malware) 13->67 69 Creates multiple autostart registry keys 13->69 71 4 other signatures 13->71 17 explorer.exe 5 13->17 injected signatures7 process8 process9 19 mshta.exe 19 17->19         started        22 mshta.exe 19 17->22         started        24 dxcbs4GN4T.exe 17->24         started        26 dxcbs4GN4T.exe 17->26         started        signatures10 53 Suspicious powershell command line found 19->53 55 Very long command line found 19->55 28 powershell.exe 22 19->28         started        31 powershell.exe 22->31         started        57 Maps a DLL or memory area into another process 24->57 33 explorer.exe 24->33         started        35 explorer.exe 26->35         started        process11 signatures12 63 Found suspicious powershell code related to unpacking or dynamic code loading 28->63 37 conhost.exe 28->37         started        39 conhost.exe 31->39         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7004285faaa3caabec19f6382f86f380da6fbe1eb5d624a7bc2a9e999a5ba79d/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-08 19:31:21 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae
vkeylogger
2ff77816fa6b9e2fdbc630e06a003b09228f39887f8dfea7f8020d9346bd2324
vkeylogger
3fd662d7caf82ecc8b61b4fa261bc51510851aa36099a85f66c2689c507e11d7
vkeylogger
4468428f16aeb36c8c1a53f40c68806473201d37d94b6ac8f1c0d324d1e17006
vkeylogger
68be2ba319d445f1a1d7da73d9ad26b894f55f85f1b943ab5b5251ddfc0bc439
vkeylogger
82b3bc554c3ed5e698153da5badfd3973e337c49ee8477847b2ca0fdda98b895
vkeylogger
99c1b2c7ec27b36fbc1978048266d739f8efc003af325fd9a00d0399d7d16b48
vkeylogger
c274d34d71a4dfd793b69aeb11803f43d0f5a3e3e4117f7c34f658823bee14ff
vkeylogger
d88cb891d36dc09bb88fcef9fcb8ba6efe6f5034ae76e5b630ab86e54afff1cc
vkeylogger
fe6e78fc04cc85915c056447a608233c7094caf911cc8de0e0491184cdaf056b
vkeylogger
+ 3 additional samples on MalwareBazaar
Result
Malware family:
vkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vkeylogger keylogger persistence stealer
Link:
https://tria.ge/reports/210909-h8f5gsfgc2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
VKeylogger
VKeylogger Payload
Unpacked files
SH256 hash:
bacffa6fb99c63cb83259eb45d84f6e8c907a7cbd30708bbdbe150347b7b7fd2
MD5 hash:
1d9b98948af7fd51341cbce0d04af911
SHA1 hash:
41251f62673c84d0c9bc81186d601c88ed150ead
Link:
https://www.unpac.me/results/a065e0dc-f03f-471b-aaff-9b8b1e326056/
SH256 hash:
da5e84db862662ce652f9917b4c0ae706cf153d1a0d01eaaeca9e19a6026bb87
MD5 hash:
e8e144d4df00a335931aabaaae5f4460
SHA1 hash:
7ae1ffaa244cc3ad8b4c294712dc741b8b611981
Link:
https://www.unpac.me/results/a065e0dc-f03f-471b-aaff-9b8b1e326056/
SH256 hash:
bcd9f57264b737f5204305bbd0d678d7c12584cba89da99e89dc168e0c25e244
MD5 hash:
ea5677cce3699d54dde4c8505d1aa0f2
SHA1 hash:
6fe182865cd11abc948ffa16f11a93512656044f
Link:
https://www.unpac.me/results/a065e0dc-f03f-471b-aaff-9b8b1e326056/
SH256 hash:
7004285faaa3caabec19f6382f86f380da6fbe1eb5d624a7bc2a9e999a5ba79d
MD5 hash:
9e559c854f7b4c66ffbe7702e8f49cd0
SHA1 hash:
cd28198ef48a50b3d14dc8eb5d37f505b2c85c33
Link:
https://www.unpac.me/results/a065e0dc-f03f-471b-aaff-9b8b1e326056/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7004285faaa3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7004285faaa3caabec19f6382f86f380da6fbe1eb5d624a7bc2a9e999a5ba79d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:vklogger_bin
Create hunting rule
Author:James_inthe_box
Description:Unknown Keylogger
Reference:https://www.hybrid-analysis.com/string-search/results/1e75a1d90f3a4e8c2d657f7cfa663947d02f98515db97881487e528e0ade4099

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

vkeylogger

Executable exe 7004285faaa3caabec19f6382f86f380da6fbe1eb5d624a7bc2a9e999a5ba79d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1559346/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/186533/

Comments