MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb759a16bd2daead770a4aa60357ad804d5d4733554c0d41adafd1920683a0c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb759a16bd2daead770a4aa60357ad804d5d4733554c0d41adafd1920683a0c3
SHA3-384 hash: f3d916be62c37d353a397a15d0fa179b2e223f927d9385f29521f04222093a61df0f1acde3622f7bf5e2e8c688d7eb38
SHA1 hash: 8c38b1ef5f9c5c70854108c1f50825c8533a3646
MD5 hash: 3a93681cf2ff8a1565e2d7e4a5c36d69
humanhash: october-uranus-delaware-oregon
File name:URGENT DHL - OVERDUE ACCOUNT LETTER- 1300711528.exe
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:2'981'376 bytes
First seen:2025-02-27 15:47:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'628 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:mF5tpzf9m3wrHeH3W+jQXDEjPbHxizzKuSSL6fhpixs0LrTrNUon:DQHCmgCUPNSTsDcLvruon
Threatray 4'871 similar samples on MalwareBazaar
TLSH T175D50103A7565BB2E292077AD5B35C1ECB71D040A61BEB5B79CEB3B44C93B362D08607
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:DHL exe VIPKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
486
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
URGENTDHL-OVERDUEACCOUNTLETTER-1300711528.exe
Verdict:
Malicious activity
Analysis date:
2025-02-27 15:52:27 UTC
Tags:
evasion snake keylogger telegram stealer
Link:
https://app.any.run/tasks/6abcb8c2-c2e2-45ae-adf0-2d70a1cac36a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67c0895d2dfba428b46ed43f
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade net_reactor obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67c0893e3c5f644bd93b05ae/reports/08523f93-41f2-435d-a580-33ff9c1a8296/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/cb759a16bd2daead770a4aa60357ad804d5d4733554c0d41adafd1920683a0c3
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82d73c4f-8cb0-4937-9c47-ff07114cee1e
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1625720
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cb759a16bd2daead770a4aa60357ad804d5d4733554c0d41adafd1920683a0c3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb759a16bd2daead770a4aa60357ad804d5d4733554c0d41adafd1920683a0c3/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2025-02-27 10:00:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zn2zufv5fwxk25ykjktagv5nqbgv2rztkvga2qnnv7izebududbq._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
Similar samples:
2e9a793c02aae5b3dd4119d9ffa2a57437d9b00d3d931aeb89ede5c65faf2610
VIPKeylogger
657791b7f748b9280b72ae9be5b6d2f4eff25a83379dcb454722ebb5fb866199
VIPKeylogger
7796b1f3337cbf48250d70b2ec8c11faa588f5f44078f4a2296e53ef04f35f9e
VIPKeylogger
a4ecdd060da87b9dd69ac7421a0d18abac5842979df0587c4542692ffefa70ca
VIPKeylogger
b8df5ca9ec2fbb02bebddb499f4c1a966bf9da4581e68eeca99a195dbd94f4fb
VIPKeylogger
e5c3febab37a06659361fbfb93aff167b685270ba63a71a86fa9892379abfbf3
VIPKeylogger
error
VIPKeylogger
+ 4'861 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery keylogger stealer
Link:
https://tria.ge/reports/250227-s8vyra1whv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Drops startup file
Suspicious use of NtCreateUserProcessOtherParentProcess
VIPKeylogger
Vipkeylogger family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/48997f47-7d78-432b-973c-5891d86760c9
Unpacked files
SH256 hash:
cb759a16bd2daead770a4aa60357ad804d5d4733554c0d41adafd1920683a0c3
MD5 hash:
3a93681cf2ff8a1565e2d7e4a5c36d69
SHA1 hash:
8c38b1ef5f9c5c70854108c1f50825c8533a3646
Link:
https://www.unpac.me/results/abe70673-ea98-4faf-863c-2e76b71eeab3/
SH256 hash:
b8cadf70324558ac85c732caa81fbf1046d5b35326858951d381d2786c134377
MD5 hash:
2ed5dda5006fa6b6dd4eb47be748e37e
SHA1 hash:
6060a3e760c23407d55e774dc2527a9d77e416fc
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/abe70673-ea98-4faf-863c-2e76b71eeab3/
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cb759a16bd2d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb759a16bd2daead770a4aa60357ad804d5d4733554c0d41adafd1920683a0c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments