MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


vkeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1
SHA3-384 hash: 15e0c01049e742415be441a6571b9c50dbe90e8574c11524760640f2e5a9aefd7ebf10b92cbd8d4ffa65d716cb542acb
SHA1 hash: ed719729d7025b6d16399c88a7334fdd58b0d603
MD5 hash: 0ed76cd7cb14cc30d04802a750bcad22
humanhash: tennis-floor-red-romeo
File name:0ed76cd7cb14cc30d04802a750bcad22.exe
Download: download sample
Signature vkeylogger
Create hunting rule
File size:250'880 bytes
First seen:2021-11-14 13:56:14 UTC
Last seen:2021-11-14 15:48:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6eb55c173f39a0ca8cec42f6f9709fde (1 x vkeylogger)
ssdeep 3072:tgi/mWcLTrSMSgtFIqdJ5LJ4r/ububBcSd2on2KxUTrIf1vOOallWT7eevqiQcXr:tgi/xMSpqdJ5L2rnBWonKQfEZCCiVW
Threatray 12 similar samples on MalwareBazaar
TLSH T18634F042A38DD7BDF66C25351072B8B2C9E83E7C961F14BBC3E22E4E49B87D52091613
File icon (PE):PE icon
dhash icon f0717971f0a6a2e8 (1 x vkeylogger)
Reporter abuse_ch
Tags:exe VKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205688/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.41378.5737.25256.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Reading critical registry keys
Deleting a recently created file
Sending a custom TCP request
DNS request
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm fareit packed
Link:
https://www.filescan.io/uploads/619115b0a00afa9663a7486c/reports/a03410c4-b458-42bb-9fb0-333b306cd7e5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f8eb0c1b-7a8c-490c-9dbf-6ecef56d6ca6
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888928
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Detected unpacking (overwrites its own PE header)
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Encoded FromBase64String
Sigma detected: FromBase64String Command Line
Sigma detected: Mshta JavaScript Execution
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious MSHTA Process Patterns
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
Very long command line found
Writes to foreign memory regions
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 521397 Sample: 0Y7JYKMrUZ.exe Startdate: 14/11/2021 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for URL or domain 2->62 64 12 other signatures 2->64 11 0Y7JYKMrUZ.exe 2->11         started        process3 signatures4 84 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 11->84 86 Writes to foreign memory regions 11->86 88 Allocates memory in foreign processes 11->88 90 2 other signatures 11->90 14 RegSvcs.exe 11->14         started        process5 signatures6 96 Maps a DLL or memory area into another process 14->96 17 explorer.exe 4 14 14->17         started        process7 dnsIp8 52 45.143.223.146, 49712, 49713, 80 ZUMYNL Netherlands 17->52 50 C:\Users\user\AppData\Local\Temp\792.exe, PE32 17->50 dropped 66 System process connects to network (likely due to code injection or exploit) 17->66 68 Creates autostart registry keys with suspicious values (likely registry only malware) 17->68 70 Creates multiple autostart registry keys 17->70 72 3 other signatures 17->72 22 explorer.exe 5 17->22 injected 24 792.exe 7 17->24         started        file9 signatures10 process11 dnsIp12 28 mshta.exe 19 22->28         started        31 mshta.exe 22->31         started        33 RegSvcs.exe 2 22->33         started        35 RegSvcs.exe 1 22->35         started        54 api.telegram.org 149.154.167.220, 443, 49718, 49723 TELEGRAMRU United Kingdom 24->54 56 127.0.0.1 unknown unknown 24->56 76 Multi AV Scanner detection for dropped file 24->76 78 Detected unpacking (overwrites its own PE header) 24->78 80 Tries to harvest and steal browser information (history, passwords, etc) 24->80 82 2 other signatures 24->82 signatures13 process14 signatures15 92 Suspicious powershell command line found 28->92 94 Very long command line found 28->94 37 powershell.exe 22 28->37         started        40 powershell.exe 31->40         started        42 conhost.exe 33->42         started        44 conhost.exe 35->44         started        process16 signatures17 74 Found suspicious powershell code related to unpacking or dynamic code loading 37->74 46 conhost.exe 37->46         started        48 conhost.exe 40->48         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1/
Threat name:
Win32.Trojan.SpyEye
Create hunting rule
Status:
Malicious
First seen:
2021-11-13 21:46:10 UTC
AV detection:
23 of 44 (52.27%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1169aa40b39712cd78f3bba1509b3a5864752c534497431180eb752015d2d482
vkeylogger
1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae
vkeylogger
2ff77816fa6b9e2fdbc630e06a003b09228f39887f8dfea7f8020d9346bd2324
vkeylogger
4468428f16aeb36c8c1a53f40c68806473201d37d94b6ac8f1c0d324d1e17006
vkeylogger
68be2ba319d445f1a1d7da73d9ad26b894f55f85f1b943ab5b5251ddfc0bc439
vkeylogger
7004285faaa3caabec19f6382f86f380da6fbe1eb5d624a7bc2a9e999a5ba79d
vkeylogger
82b3bc554c3ed5e698153da5badfd3973e337c49ee8477847b2ca0fdda98b895
vkeylogger
99c1b2c7ec27b36fbc1978048266d739f8efc003af325fd9a00d0399d7d16b48
vkeylogger
c274d34d71a4dfd793b69aeb11803f43d0f5a3e3e4117f7c34f658823bee14ff
vkeylogger
d88cb891d36dc09bb88fcef9fcb8ba6efe6f5034ae76e5b630ab86e54afff1cc
vkeylogger
+ 2 additional samples on MalwareBazaar
Result
Malware family:
vkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vkeylogger keylogger persistence stealer suricata
Link:
https://tria.ge/reports/211114-q89e2addgk/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
VKeylogger
VKeylogger Payload
suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
Unpacked files
SH256 hash:
3a6658b2e22f6b36b260f897707e4507b8d93b53876d5c3e1ec8c2b2f847cc3c
MD5 hash:
5d3d30eca5957d1f600b8aec4fdfaa62
SHA1 hash:
6e1dd38832e63fa0c3b266d8736b6dfecbab5f80
Link:
https://www.unpac.me/results/fe114560-f1d4-4fd1-9240-48c565b3a1d0/
SH256 hash:
8df9cd55fdec48007e6ecba8562a3fe08cdf71819e945a01363d49a55cf56e2d
MD5 hash:
c5ac76e47079f86ed7ccc230f78e6a26
SHA1 hash:
a8f5ac0e1ce955031e9b85fa4a9f8852c6bcb40c
Link:
https://www.unpac.me/results/fe114560-f1d4-4fd1-9240-48c565b3a1d0/
SH256 hash:
f4e8022c8bd4d0ba7be5550363af2e3c07d33978e90bffe3f9e3d9427f0e0164
MD5 hash:
9e4f361b5815fff0cf3ad5253a26adda
SHA1 hash:
38118a760927514a72e53e17e1b324356614a41c
Link:
https://www.unpac.me/results/fe114560-f1d4-4fd1-9240-48c565b3a1d0/
SH256 hash:
f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1
MD5 hash:
0ed76cd7cb14cc30d04802a750bcad22
SHA1 hash:
ed719729d7025b6d16399c88a7334fdd58b0d603
Link:
https://www.unpac.me/results/fe114560-f1d4-4fd1-9240-48c565b3a1d0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f3133b021fd1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:vklogger_bin
Create hunting rule
Author:James_inthe_box
Description:Unknown Keylogger
Reference:https://www.hybrid-analysis.com/string-search/results/1e75a1d90f3a4e8c2d657f7cfa663947d02f98515db97881487e528e0ade4099

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

vkeylogger

Executable exe f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1785501/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/205688/
  
URLhaus
https://urlhaus.abuse.ch/url/1785918/

Comments