MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0baecb92b8e375afe7db841b521040f731c923e5919fc23f42be91973366a83c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0baecb92b8e375afe7db841b521040f731c923e5919fc23f42be91973366a83c
SHA3-384 hash: fa982d84f5c4699d81620c25d2bfc6ea914ddcc72ea7cc4d38cde94817329f74d2d2c7b9612f6513d76f63bb8d3315f3
SHA1 hash: a50b74eb202a1c55362d6b7931fe56b7c0bb4312
MD5 hash: 3018e9591f54c3dc959ac9834995b9b6
humanhash: louisiana-green-sodium-eight
File name:0baecb92b8e375afe7db841b521040f731c923e5919fc23f42be91973366a83c
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:1'792'264 bytes
First seen:2025-03-10 11:30:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:ELFZHUCS4BarJd8clGjBJpWLqrc3m5P+v3Ej1ZiCn7HGEah8n0WzxUmLTPZCK5Oz:EhSzJdLsjrpWEmKk3E1ZNDGE3nrzpTop
Threatray 2'221 similar samples on MalwareBazaar
TLSH T15885E00133F8A57AD59E9770E842A01587F0E0A5E6C6EBAB1D8B37F86C1B7537884077
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon e4e4e48c8c8cc4c4 (1 x VIPKeylogger)
Reporter adrian__luca
Tags:exe VIPKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
296
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CATALOGU INQUIRY QUOTATION (1.38 MB).msg
Verdict:
Malicious activity
Analysis date:
2025-02-24 09:52:10 UTC
Tags:
attachments attc-arch arch-exec evasion snake keylogger
Link:
https://app.any.run/tasks/4f0e79ec-c17a-4310-bc3c-275ca49114dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67cece901f777fe3060892eb
Tags:
autorun stealer virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% directory
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Stealing user critical data
Enabling autorun by creating a file
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
invalid-signature obfuscated packed packed packer_detected signed stealer
Link:
https://www.filescan.io/uploads/67cecd8e3c5f644bd94b1a12/reports/73cbe582-0fd7-4687-bebd-458317e5cf4c/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/0baecb92b8e375afe7db841b521040f731c923e5919fc23f42be91973366a83c
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/68394468-595e-42b2-bba5-d1aba5739cc4
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1634827
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Drops VBS files to the startup folder
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634827 Sample: gID5oMWjq1.exe Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 23 reallyfreegeoip.org 2->23 25 api.telegram.org 2->25 27 2 other IPs or domains 2->27 35 Suricata IDS alerts for network traffic 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 45 12 other signatures 2->45 7 gID5oMWjq1.exe 15 5 2->7         started        12 wscript.exe 1 2->12         started        signatures3 41 Tries to detect the country of the analysis system (by using the IP) 23->41 43 Uses the Telegram API (likely for C&C communication) 25->43 process4 dnsIp5 29 api.telegram.org 149.154.167.220, 443, 50282, 50289 TELEGRAMRU United Kingdom 7->29 31 checkip.dyndns.com 158.101.44.242, 49713, 50256, 50258 ORACLE-BMC-31898US United States 7->31 33 reallyfreegeoip.org 104.21.16.1, 443, 49717, 50255 CLOUDFLARENETUS United States 7->33 17 C:\Users\user\AppData\Roaming\Source.exe, PE32 7->17 dropped 19 C:\Users\user\...\Source.exe:Zone.Identifier, ASCII 7->19 dropped 21 C:\Users\user\AppData\Roaming\...\Source.vbs, ASCII 7->21 dropped 47 Tries to steal Mail credentials (via file / registry access) 7->47 49 Drops VBS files to the startup folder 7->49 51 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->51 53 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->53 14 Source.exe 14 2 12->14         started        file6 signatures7 process8 signatures9 55 Multi AV Scanner detection for dropped file 14->55 57 Tries to steal Mail credentials (via file / registry access) 14->57 59 Tries to harvest and steal browser information (history, passwords, etc) 14->59
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0baecb92b8e375afe7db841b521040f731c923e5919fc23f42be91973366a83c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0baecb92b8e375afe7db841b521040f731c923e5919fc23f42be91973366a83c/
Threat name:
ByteCode-MSIL.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2025-02-24 09:53:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=boxmxevy4n227z63qqnveeca64y4si7fsgp4ep2cx2izom3gva6a._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
Similar samples:
0baecb92b8e375afe7db841b521040f731c923e5919fc23f42be91973366a83c
VIPKeylogger
109c796b316470b61df7a49a0250af8562f130e6365c702ea5559926c1aeacfb
VIPKeylogger
3014fe96ba09009c9717c930855baf4cfaba24db90ec6f6004daa619d5c07395
VIPKeylogger
3c088cea1ecd49c34bf972e1df93121b9edad6fe01412a7a3fd6b2e1a2b06707
VIPKeylogger
68f7221674dbbb7621ce4d491bb7869344db5d91e9017601943e7b1e672b2d7b
VIPKeylogger
c7620ccaf9c2d47ba08cf85e65e55ea974f8887e18d96574a1aa63f09e836451
VIPKeylogger
c98487cf89bc7784eaba139e1cb98837e6e71633e59e626aae1b45411aad380e
VIPKeylogger
error
VIPKeylogger
+ 2'211 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery keylogger spyware stealer
Link:
https://tria.ge/reports/250310-nmvcwasqv4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Drops startup file
Reads user/profile data of local email clients
Reads user/profile data of web browsers
VIPKeylogger
Vipkeylogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot7538945541:AAEDj6WLyaeZtSruFCTvcpwTwP6sVcHPzO4/sendMessage?chat_id=6098953234
Verdict:
Malicious
Tags:
404keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/b5585d38-37d5-414b-959b-70693f25f1be
Unpacked files
SH256 hash:
0baecb92b8e375afe7db841b521040f731c923e5919fc23f42be91973366a83c
MD5 hash:
3018e9591f54c3dc959ac9834995b9b6
SHA1 hash:
a50b74eb202a1c55362d6b7931fe56b7c0bb4312
Link:
https://www.unpac.me/results/fc5f7bf6-18fb-4fb4-819b-882140b9a22e/
SH256 hash:
62fd77d44b474eff6858aa9e736a9d648b39a76f1f98990f65d22ad1c076c9df
MD5 hash:
0d7039a3b4e329dda214f39fcbef492e
SHA1 hash:
f99b1a7cb612bde97780c30b48785be5c7331de5
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/fc5f7bf6-18fb-4fb4-819b-882140b9a22e/
SH256 hash:
c0a6fe97c0879ecda76568a1b494a3f34972ade4c8d7dbefe7dfdf649159e0b9
MD5 hash:
7da4c07bb9fe5746b4a3e287386c0a56
SHA1 hash:
398b8995dd4d67c2e7d8c787b24a46c9a855af61
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/fc5f7bf6-18fb-4fb4-819b-882140b9a22e/
SH256 hash:
78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677
MD5 hash:
f9d2985aa1c41cca281321fffb5ed424
SHA1 hash:
3a7a58d2dcae2762882357ae34d372744b1dbb9d
Link:
https://www.unpac.me/results/fc5f7bf6-18fb-4fb4-819b-882140b9a22e/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/fc5f7bf6-18fb-4fb4-819b-882140b9a22e/
SH256 hash:
eacb3e025948d8d62c5e759350945ee82c684e696b3ebf66c5d9d6b092cb9d4f
MD5 hash:
e3cec7e2ec1eec1884c2c41bae128885
SHA1 hash:
7e7f1fdf48065bf4143fc0b22cb4c38d6563022d
Link:
https://www.unpac.me/results/fc5f7bf6-18fb-4fb4-819b-882140b9a22e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/0baecb92b8e375afe7db841b521040f731c923e5919fc23f42be91973366a83c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments