MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07ac845eee39222cc487d6dfe0a50f12874af6b05ea0390b5d6e4e4e64d3e18c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07ac845eee39222cc487d6dfe0a50f12874af6b05ea0390b5d6e4e4e64d3e18c
SHA3-384 hash: 79a0e67928be5635cd11192eb1327d6c06a79e7adad55cec08a19081192e3b48fbeb5c2fd4a2dda73c8a6871d3ac0a29
SHA1 hash: 0a4d0993ccf384fbc7714e0dbc7371bff9947209
MD5 hash: d25fb723e2a5fd1596da0024d239298e
humanhash: oscar-batman-five-utah
File name:251378.exe
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:612'000 bytes
First seen:2025-10-17 06:03:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 46ce5c12b293febbeb513b196aa7f843 (22 x GuLoader, 12 x RemcosRAT, 5 x VIPKeylogger)
ssdeep 12288:+X4eIO/YyqmEYuanVHPC4zMprecccIB+5d1SBnTYKFPGfIC0v5pF:A4eIRyzEYBvRH8bkyIL5b
Threatray 2'184 similar samples on MalwareBazaar
TLSH T145D4234517B98CABE6E35930046344FAEBDBAD450480930F5F04BF477E766B2886B78B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon d022d8c8f28f80c0 (36 x GuLoader, 12 x VIPKeylogger, 6 x Formbook)
Reporter adrian__luca
Tags:exe signed VIPKeylogger

Code Signing Certificate

Organisation:Mediciners
Issuer:Mediciners
Algorithm:sha256WithRSAEncryption
Valid from:2025-10-01T00:43:57Z
Valid to:2026-10-01T00:43:57Z
Serial number: 5590a99a10669141c8e055bc88f4d52962287454
Thumbprint Algorithm:SHA256
Thumbprint: 26633776332c9a490bdb1241b9fa72432cbb655bf6e34f658ce7a99ef0faa427
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_07ac845eee39222cc487d6dfe0a50f12874af6b05ea0390b5d6e4e4e64d3e18c.exe
Verdict:
Malicious activity
Analysis date:
2025-10-17 06:08:03 UTC
Tags:
evasion snake keylogger telegram stealer
Link:
https://app.any.run/tasks/38d84a00-33f2-4ad3-a2bd-2b55a5592fe9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33155/
Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f1dc720cffb3244298a754
Tags:
injector uloader virus nsis
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Searching for the window
Creating a file
Delayed reading of the file
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole guloader installer microsoft_visual_cc nsis overlay signed unsafe
Link:
https://www.filescan.io/uploads/68f1dc6f057c46a471d0c95e/reports/0286afb2-21e1-498c-90e2-990cfe7eb197/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/07ac845eee39222cc487d6dfe0a50f12874af6b05ea0390b5d6e4e4e64d3e18c
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-09T11:29:00Z UTC
Last seen:
2025-10-18T02:54:00Z UTC
Hits:
~1000
Detections:
Trojan.Win32.Guloader.dfr Trojan.NSIS.Makoob.sbb Trojan.NSIS.Makoob.sba Packed.NSIS.Krynis.sb VHO:Trojan-Downloader.Win32.Minix.gen Trojan-Downloader.Win32.Minix.sb Trojan.Win32.Guloader.sb
Link:
https://opentip.kaspersky.com/07ac845eee39222cc487d6dfe0a50f12874af6b05ea0390b5d6e4e4e64d3e18c/results?tab=lookup
Malware family:
WinEdt Team
Create hunting rule
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b1bf53e3-2c0e-4dca-ae4a-00bff56eea6f
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/07ac845eee39222cc487d6dfe0a50f12874af6b05ea0390b5d6e4e4e64d3e18c
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/d25fb723e2a5fd1596da0024d239298e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/07ac845eee39222cc487d6dfe0a50f12874af6b05ea0390b5d6e4e4e64d3e18c/
Verdict:
Malicious
Threat:
Family.SNAKE
Link:
https://tip.neiki.dev/file/07ac845eee39222cc487d6dfe0a50f12874af6b05ea0390b5d6e4e4e64d3e18c
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2025-10-09 18:56:28 UTC
File Type:
PE (Exe)
Extracted files:
95
AV detection:
18 of 36 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a6wiixxoherczreh23p6bjipckduv5vql2qdsc25nzhe4zgt4gga._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
0140edbd4ebb2e1d24804f6c9891e2309829ecf28ed86b4a038b63cdcb641d0d
VIPKeylogger
519ffa69c89f1f6ca85fc80f08b9d2cb7b731cdd5ebff1cf3221a4e5d0c46582
VIPKeylogger
545812664008d0b35cf61c15c79526b1d5d05aef886a3f85c9056570fbf13933
VIPKeylogger
677fa0e6764f872b832bd199c317eb3f1c21ba43bedb239d9f5097836b9fb65c
VIPKeylogger
ec40add0f6f93d1ed5cc9a72fde905d55f17f394525fae57eb514a935a202660
VIPKeylogger
error
VIPKeylogger
+ 2'174 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery keylogger spyware stealer
Link:
https://tria.ge/reports/251017-gsv32axp14/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
VIPKeylogger
Vipkeylogger family
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/91934cf7-e6fb-451a-8c81-0e811059ceec
Unpacked files
SH256 hash:
8b4c47c4cf5e76ec57dd5a050d5acd832a0d532ee875d7b44f6cdaf68f90d37c
MD5 hash:
9b38a1b07a0ebc5c7e59e63346ecc2db
SHA1 hash:
97332a2ffcf12a3e3f27e7c05213b5d7faa13735
Link:
https://www.unpac.me/results/aeba643e-7d06-4b9c-9d28-0a5f5230bf07/
SH256 hash:
07ac845eee39222cc487d6dfe0a50f12874af6b05ea0390b5d6e4e4e64d3e18c
MD5 hash:
d25fb723e2a5fd1596da0024d239298e
SHA1 hash:
0a4d0993ccf384fbc7714e0dbc7371bff9947209
Link:
https://www.unpac.me/results/aeba643e-7d06-4b9c-9d28-0a5f5230bf07/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/07ac845eee39222cc487d6dfe0a50f12874af6b05ea0390b5d6e4e4e64d3e18c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

VIPKeylogger

Executable exe 07ac845eee39222cc487d6dfe0a50f12874af6b05ea0390b5d6e4e4e64d3e18c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/33155/

Comments