MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 728471dd6fdd1869a99bfff247c5bf66da0d0185b464a5dbef3ad1e7e58d4980. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 728471dd6fdd1869a99bfff247c5bf66da0d0185b464a5dbef3ad1e7e58d4980
SHA3-384 hash: 10132e99ab0aa44caeec7d2238722e07d73d9abbe6d0f3ca56c2068e5b890ce30461356ab242a1e42006f853316a8a75
SHA1 hash: 27f26d42f930fb0c48f6459d6f46e8d1eedc8d9c
MD5 hash: 395011827c683ed8fc0781a43aa9e214
humanhash: network-indigo-yellow-fanta
File name:FACTURA.exe
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:477'001 bytes
First seen:2024-08-27 15:02:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 57e98d9a5a72c8d7ad8fb7a6a58b3daf (60 x GuLoader, 20 x AZORult, 12 x RemcosRAT)
ssdeep 12288:qcFfeRdd/zkJpYjX8PgOSN2K45i5ZFFfIv9qvQV:qcJeRdd/zkJOBB4Ihw04V
Threatray 1'419 similar samples on MalwareBazaar
TLSH T1D6A4122E3A51C0E6FA8983716B3ADF0B99DAB8571152050733B177B56B382D3C90F9C9
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 8883b69d19c6c3c0 (38 x GuLoader, 6 x RemcosRAT, 6 x VIPKeylogger)
Reporter abuse_ch
Tags:exe VIPKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
374
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
FACTURA.exe
Verdict:
Malicious activity
Analysis date:
2024-08-05 05:04:09 UTC
Tags:
guloader loader snake keylogger evasion telegram stealer
Link:
https://app.any.run/tasks/e12cba0b-c9f8-44a4-9c5e-e718dd570319

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.254.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66cdeaa8e026e7f769297c19
Tags:
Encryption Execution Stealth Malware
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file in the %AppData% subdirectories
Launching a process
Using the Windows Management Instrumentation requests
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer masquerade microsoft_visual_cc
Link:
https://www.filescan.io/uploads/66cdeaa8eb26ed7f73c51b9b/reports/33405267-accf-4a38-86c5-b604f6609f57/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/728471dd6fdd1869a99bfff247c5bf66da0d0185b464a5dbef3ad1e7e58d4980
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bfc44753-3fe9-4874-b900-31faac26d916
Result
Threat name:
GuLoader, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1499837
Signature
AI detected suspicious sample
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1499837 Sample: FACTURA.exe Startdate: 27/08/2024 Architecture: WINDOWS Score: 100 34 reallyfreegeoip.org 2->34 36 api.telegram.org 2->36 38 4 other IPs or domains 2->38 44 Found malware configuration 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 Multi AV Scanner detection for submitted file 2->48 54 4 other signatures 2->54 8 FACTURA.exe 25 2->8         started        signatures3 50 Tries to detect the country of the analysis system (by using the IP) 34->50 52 Uses the Telegram API (likely for C&C communication) 36->52 process4 file5 22 C:\Users\user\AppData\...\Fallage79.Sgn, ASCII 8->22 dropped 56 Suspicious powershell command line found 8->56 12 powershell.exe 20 8->12         started        signatures6 process7 file8 24 C:\Users\user\AppData\Roaming\...\FACTURA.exe, PE32 12->24 dropped 26 C:\Users\user\...\FACTURA.exe:Zone.Identifier, ASCII 12->26 dropped 58 Writes to foreign memory regions 12->58 60 Found suspicious powershell code related to unpacking or dynamic code loading 12->60 62 Powershell drops PE file 12->62 16 wab.exe 15 8 12->16         started        20 conhost.exe 12->20         started        signatures9 process10 dnsIp11 28 api.telegram.org 149.154.167.220, 443, 49741 TELEGRAMRU United Kingdom 16->28 30 reallyfreegeoip.org 188.114.96.3, 443, 49724, 49725 CLOUDFLARENETUS European Union 16->30 32 3 other IPs or domains 16->32 40 Tries to steal Mail credentials (via file / registry access) 16->40 42 Tries to harvest and steal browser information (history, passwords, etc) 16->42 signatures12
Score:
89%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/728471dd6fdd1869a99bfff247c5bf66da0d0185b464a5dbef3ad1e7e58d4980
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/728471dd6fdd1869a99bfff247c5bf66da0d0185b464a5dbef3ad1e7e58d4980/
Threat name:
Win32.Spyware.Snakekeylogger
Create hunting rule
Status:
Malicious
First seen:
2024-07-31 08:17:17 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
22 of 38 (57.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=okchdxlp3umgtkm377zeprn7m3na2amfwrsklw7phli6pzmnjgaa._file
Verdict:
malicious
Similar samples:
083a3fd47e58d83c6a4265bcb00f93d30cc2901d6637ae9648411e83d3ad5017
VIPKeylogger
121dae49dacf1290b5ef4de577a01161b523d9edf8564fa765e7c00ac6c3b862
VIPKeylogger
27a27f7a05d98177ca443f7341412869205ce10deaec52148989f4ded45605fc
VIPKeylogger
28e90ac25cc8dcdb8b16cb3403e695b191965e3bfc1f832fcd412177633852d4
VIPKeylogger
7298b43de9d8dc586ce35f452e67b98d234c2b005648ffb7e6a21bea06a8dcb9
VIPKeylogger
91189e4ad3fe8d5b0479e18402677fcc4279c859a02b05168a44f92cf932be07
VIPKeylogger
de8e56619f525bc15263e75b427b91cd06dd3b5e510388707625b5e680bc6191
VIPKeylogger
e8c869ce645ed191a49065b3b51790b0d502f7045e9040aefdef98d697e47caf
VIPKeylogger
ffa97f0d01eac4cde4fcb0d949b4931d9f74dd1c1c7f75839b532a4b3c52e3c1
VIPKeylogger
+ 1'409 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger discovery execution keylogger stealer
Link:
https://tria.ge/reports/240827-se1bdawfnd/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Command and Scripting Interpreter: PowerShell
VIPKeylogger
Unpacked files
SH256 hash:
728471dd6fdd1869a99bfff247c5bf66da0d0185b464a5dbef3ad1e7e58d4980
MD5 hash:
395011827c683ed8fc0781a43aa9e214
SHA1 hash:
27f26d42f930fb0c48f6459d6f46e8d1eedc8d9c
Link:
https://www.unpac.me/results/b1a1ac61-3534-4d8a-bcf0-02c0bdb9b7d2/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/728471dd6fdd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/728471dd6fdd1869a99bfff247c5bf66da0d0185b464a5dbef3ad1e7e58d4980

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:NSIS_GuLoader
Create hunting rule
Author:NDA0E
Description:Detects GuLoader using NSIS

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::SetFileSecurityA
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments