MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76e3c168ee9273a10fdfd1bd2e9cf239964ddea4a8b331a8aefbd9964bed6413. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76e3c168ee9273a10fdfd1bd2e9cf239964ddea4a8b331a8aefbd9964bed6413
SHA3-384 hash: d3b309266ef5b2f2a10f10f228d1aefd7eec141e96aa4adf8f12a76d5f4800afb4f2c3576e67c7393f8270b05b96ac79
SHA1 hash: 37cbcc5552492f574a1a853f5e6b5a4b68821721
MD5 hash: d45ef38fdd52f3db2612afe96cd0547c
humanhash: montana-sierra-cat-snake
File name:Factura pendiente de pago.js
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:40'700 bytes
First seen:2026-04-20 15:07:49 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 768:IOxumppi5Oxumppix+H02dXPz4jAioubF1h:IOxumppi5OxumppixsTdL4P
TLSH T16F038A16328FCB0872A25689569B03340BAFB96F1FBF41C5048DDEC98FE391598573A7
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika vba
Reporter abuse_ch
Tags:js VIPKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.26866.JsHeur.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69e641c345787c53e53b7dce
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 masquerade nemucod obfuscated powershell powershell powershell repaired
Link:
https://www.filescan.io/uploads/69e641865ea31bc68a3fba48/reports/6295b279-cc0a-4d5e-959d-377bdd0d4145/overview
Verdict:
Suspicious
Labled as:
PowerShell/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/76e3c168ee9273a10fdfd1bd2e9cf239964ddea4a8b331a8aefbd9964bed6413
Verdict:
Malicious
File Type:
js
First seen:
2026-04-20T09:58:00Z UTC
Last seen:
2026-04-22T13:36:00Z UTC
Hits:
~1000
Detections:
HEUR:Trojan.PowerShell.Generic PDM:Trojan.Win32.Generic Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/76e3c168ee9273a10fdfd1bd2e9cf239964ddea4a8b331a8aefbd9964bed6413/results?tab=lookup
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1901287
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected malicious Powershell script
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Self deletion via cmd or bat file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Execution of Powershell Script in Public Folder
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1901287 Sample: Factura pendiente de pago.js Startdate: 20/04/2026 Architecture: WINDOWS Score: 100 85 reallyfreegeoip.org 2->85 87 api.telegram.org 2->87 89 5 other IPs or domains 2->89 101 Suricata IDS alerts for network traffic 2->101 103 Found malware configuration 2->103 105 Malicious sample detected (through community Yara rule) 2->105 111 16 other signatures 2->111 11 wscript.exe 1 1 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 1 2->16         started        18 svchost.exe 1 1 2->18         started        signatures3 107 Tries to detect the country of the analysis system (by using the IP) 85->107 109 Uses the Telegram API (likely for C&C communication) 87->109 process4 dnsIp5 147 JScript performs obfuscated calls to suspicious functions 11->147 149 Suspicious powershell command line found 11->149 151 Wscript starts Powershell (via cmd or directly) 11->151 153 4 other signatures 11->153 21 powershell.exe 17 11->21         started        25 powershell.exe 14->25         started        27 conhost.exe 14->27         started        29 powershell.exe 11 16->29         started        31 conhost.exe 16->31         started        91 127.0.0.1 unknown unknown 18->91 signatures6 process7 file8 79 C:\Users\Public\sxjbv.ps1, Unicode 21->79 dropped 117 Self deletion via cmd or bat file 21->117 119 Found suspicious powershell code related to unpacking or dynamic code loading 21->119 33 powershell.exe 14 18 21->33         started        36 conhost.exe 21->36         started        121 Writes to foreign memory regions 25->121 123 Hides threads from debuggers 25->123 125 Injects a PE file into a foreign processes 25->125 38 InstallUtil.exe 25->38         started        41 conhost.exe 25->41         started        43 InstallUtil.exe 25->43         started        45 InstallUtil.exe 29->45         started        47 conhost.exe 29->47         started        signatures9 process10 dnsIp11 81 andrefelipedonascime1775471117328.2082219.meusitehostgator.com.br 172.64.145.200, 443, 49686, 49695 CLOUDFLARENETUS United States 33->81 49 powershell.exe 16 33->49         started        127 Tries to steal Mail credentials (via file / registry access) 38->127 129 Tries to harvest and steal browser information (history, passwords, etc) 38->129 signatures12 process13 dnsIp14 83 md.ccsuquk.com 82.165.63.63, 443, 49694 ONEANDONE-ASBrauerstrasse48DE Germany 49->83 77 C:\Users\user\AppData\LocalLow\...\evmre.ps1, Unicode 49->77 dropped 113 Self deletion via cmd or bat file 49->113 115 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 49->115 54 powershell.exe 7 49->54         started        57 cmd.exe 1 49->57         started        59 cmd.exe 1 49->59         started        61 4 other processes 49->61 file15 signatures16 process17 signatures18 131 Writes to foreign memory regions 54->131 133 Hides threads from debuggers 54->133 135 Injects a PE file into a foreign processes 54->135 63 InstallUtil.exe 54->63         started        67 conhost.exe 54->67         started        137 Suspicious powershell command line found 57->137 139 Wscript starts Powershell (via cmd or directly) 57->139 141 Uses ping.exe to sleep 57->141 143 Uses ping.exe to check the status of other devices and networks 57->143 69 PING.EXE 1 57->69         started        71 PING.EXE 1 59->71         started        145 Creates autostart registry keys with suspicious values (likely registry only malware) 61->145 73 PING.EXE 1 61->73         started        75 PING.EXE 1 61->75         started        process19 dnsIp20 93 mail.mzinternationalltd.com 192.110.165.149, 49715, 49749, 49750 IOFLOODUS United States 63->93 95 checkip.dyndns.com 132.226.8.169, 49698, 49700, 49702 UTMEMUS United States 63->95 97 2 other IPs or domains 63->97 99 Tries to steal Mail credentials (via file / registry access) 63->99 signatures21
Score:
96%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/76e3c168ee9273a10fdfd1bd2e9cf239964ddea4a8b331a8aefbd9964bed6413
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76e3c168ee9273a10fdfd1bd2e9cf239964ddea4a8b331a8aefbd9964bed6413/
Verdict:
Malicious
Threat:
Family.VIPKEYLOGGER
Link:
https://tip.neiki.dev/file/76e3c168ee9273a10fdfd1bd2e9cf239964ddea4a8b331a8aefbd9964bed6413
Threat name:
Win32.Trojan.Ravartar
Create hunting rule
Status:
Malicious
First seen:
2026-04-20 13:07:04 UTC
File Type:
Text (JavaScript)
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o3r4c2hosjz2cd672g6s5hhshgle3xvevcztdkfo7pmzms7nmqjq._file
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection defense_evasion discovery execution keylogger persistence stealer
Link:
https://tria.ge/reports/260420-sjcqwahw9y/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Network Configuration Discovery: Internet Connection Discovery
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Indicator Removal: File Deletion
Looks up external IP address via web service
.NET Reactor proctector
Checks computer location settings
Drops startup file
Badlisted process makes network request
Family: VIPKeylogger
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76e3c168ee9273a10fdfd1bd2e9cf239964ddea4a8b331a8aefbd9964bed6413

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments