MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d769adf67702dc9b6b6502c237013557cda9848d3d11de25ea30031c368e895. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

VIPKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	2d769adf67702dc9b6b6502c237013557cda9848d3d11de25ea30031c368e895
SHA3-384 hash:	cd1818d1c0e6aa0976f02509ba9c05f425dcf58dcd4f2a06a3ed1919a231afa5941283125fd653bfb418d5368fffef31
SHA1 hash:	130a6183f9844a963c0b9c78c3fd74e03fd26995
MD5 hash:	2be45b680192fe8d217eca52ac1d1c6d
humanhash:	victor-jersey-minnesota-bravo
File name:	Past Due Invoice.exe
Download:	download sample
Signature	VIPKeylogger Create hunting rule
File size:	727'040 bytes
First seen:	2025-08-05 13:01:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:O3N5y+0xSxOWIB3ygEF3twc7880WnEdSMF6G7f35gDqKjl9KhP0UNK7ODC:SN5yRSx23EF3r78SnuSMFWWKhshP0iN
Threatray	4'104 similar samples on MalwareBazaar
TLSH	T191F412AE65A4C71AD45873B155B6FB7A13BD0C9AEA00E30EDBE99DCF391F16114083C2
TrID	56.5% (.EXE) Win64 Executable (generic) (10522/11/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
dhash icon	d9b8e8e8e96982ce (6 x SnakeKeylogger, 4 x AgentTesla, 4 x Formbook)
Reporter	James_inthe_box
Tags:	exe VIPKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

f6fb83db3241b52d6cc2b9cf9282e36b91491865bc2a5f4e397b7cb4165a0960.zip

Verdict:

Malicious activity

Analysis date:

2025-08-05 02:21:28 UTC

Tags:

arch-exec snake keylogger evasion auto-sch-xml telegram stealer

Link:

https://app.any.run/tasks/9a377789-71c1-4b05-9be8-caced6186a61

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/19002/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68916aa7af3050dc8d346b6c

Tags:

snake spam

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Stealing user critical data

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Forced shutdown of a browser

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/689200ec2fbe0788fb19e766/reports/d8dea99c-8801-4f41-85bc-32a04efa283e/overview

Verdict:

Malicious

Labled as:

MSIL/Kryptik_AGeneric.DVH trojan

Link:

https://www.hybrid-analysis.com/sample/2d769adf67702dc9b6b6502c237013557cda9848d3d11de25ea30031c368e895

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/33e83471-b234-4e4a-bf3a-03c69c311809

Score:

96%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2d769adf67702dc9b6b6502c237013557cda9848d3d11de25ea30031c368e895

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

.Net Executable PDB Path PE (Portable Executable) SOS: 0.19 Win 64 Exe x64

Link:

https://app.malva.re/file/2be45b680192fe8d217eca52ac1d1c6d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2d769adf67702dc9b6b6502c237013557cda9848d3d11de25ea30031c368e895/

Threat name:

Win64.Spyware.Negasteal

Status:

Malicious

First seen:

2025-08-05 01:26:05 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fv3jvx3hoaw4tnvwkawcg4atkv6nvgci2pir3ys6umaddq3i5ckq._file

Verdict:

malicious

Label(s):

vipkeylogger

unc_loader_037

VIPKeylogger

49cb7c21ad3d17b2111afa0bd8cff61b959e1d2a0cb8914a22d4bd12feaaa725

VIPKeylogger

717343b73e45e00fbad3040f385b36005435c0d9b6e0cd6ef78b0f4bd4cf2907

VIPKeylogger

73ab8358ef3fd724fc5d5c31d13dfb4717ba6cc254c7da6402d3133c60ce058a

VIPKeylogger

b7e7bc4e1ecbab19a0f5f2e51abd0cb7d6d3beed30a9edc405e71751eea35a6d

VIPKeylogger

error

VIPKeylogger

+ 4'094 additional samples on MalwareBazaar

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery execution keylogger persistence spyware stealer

Link:

https://tria.ge/reports/250805-p9y51svrx3/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

outlook_office_path

outlook_win_path

Browser Information Discovery

Enumerates physical storage devices

SmartAssembly .NET packer

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

VIPKeylogger

Vipkeylogger family

Verdict:

Malicious

Tags:

404Keylogger

YARA:

n/a

Link:

https://app.threat.zone/submission/c39fa9d9-e136-4f26-8d5f-15d593b37ec0

Unpacked files

SH256 hash:

2d769adf67702dc9b6b6502c237013557cda9848d3d11de25ea30031c368e895

MD5 hash:

2be45b680192fe8d217eca52ac1d1c6d

SHA1 hash:

130a6183f9844a963c0b9c78c3fd74e03fd26995

Link:

https://www.unpac.me/results/41a9bc6f-c8b3-4e18-b709-7ac49088828b/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2d769adf6770/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.84

Link:

https://yomi.yoroi.company/submissions/2d769adf67702dc9b6b6502c237013557cda9848d3d11de25ea30031c368e895

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/19002/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample