MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38d0a1ad822cd06fdd67d8b118db86088b9f4bdbe98548233643af976f363e69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

VIPKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	38d0a1ad822cd06fdd67d8b118db86088b9f4bdbe98548233643af976f363e69
SHA3-384 hash:	a3c7df8c6d67ed60a5a226fd7b5010e26fc9cf966fe7c73474080e5f76a0ac7dcb766da54c4ceebd8ee741737ee98a65
SHA1 hash:	bdf38e8b540b33756f1521d22ac57deb60ab2cdc
MD5 hash:	c42cd7e91e42ec46562bcc1fcb14096a
humanhash:	william-north-march-fifteen
File name:	38d0a1ad822cd06fdd67d8b118db86088b9f4bdbe98548233643af976f363e69
Download:	download sample
Signature	VIPKeylogger Create hunting rule
File size:	779'776 bytes
First seen:	2025-12-08 15:11:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'845 x AgentTesla, 19'778 x Formbook, 12'298 x SnakeKeylogger)
ssdeep	12288:el1QytxsVztHS5e/8LDwX5JtizDzSQ2i2M+ob4JmLY63jS2hy1Q:el1Qw+tHSE/8YX5JtbvoUJ6Zhy1Q
Threatray	1'286 similar samples on MalwareBazaar
TLSH	T1E6F402A5375AED03D4E20BF00870E3F41376AE98A512E3434EFABDABBD6735525502D2
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	exe VIPKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/569babfd-7274-4f9c-90a4-920be80c3ad8/

Malware family:

n/a

ID:

File name:

38d0a1ad822cd06fdd67d8b118db86088b9f4bdbe98548233643af976f363e69

Verdict:

Malicious activity

Analysis date:

2025-12-08 21:07:45 UTC

Tags:

snake keylogger evasion auto-sch-xml telegram stealer ims-api generic

Link:

https://app.any.run/tasks/c3d3b49d-b46e-4c80-a5bb-a766d5c0e4da

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

VIPKeyLogger

Link:

https://www.capesandbox.com/analysis/43376/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6936eb9b881313558a2b8e51

Tags:

virus micro shell

Verdict:

Malicious

Labled as:

MSIL/GenKryptik_AGeneric.ATY trojan

Link:

https://www.hybrid-analysis.com/sample/38d0a1ad822cd06fdd67d8b118db86088b9f4bdbe98548233643af976f363e69

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-18T03:07:00Z UTC

Last seen:

2025-11-29T19:43:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/38d0a1ad822cd06fdd67d8b118db86088b9f4bdbe98548233643af976f363e69/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/38f06484-b5c8-4223-80d9-eeb986fbd35b

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/38d0a1ad822cd06fdd67d8b118db86088b9f4bdbe98548233643af976f363e69

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/38d0a1ad822cd06fdd67d8b118db86088b9f4bdbe98548233643af976f363e69/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2025-11-18 08:23:46 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

29 of 38 (76.32%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hdikdlmcftig7xlh3cyrrw4gbcfz6s635gcuqizwioxzo3zwhzuq._file

Verdict:

malicious

Label(s):

vipkeylogger

unc_loader_037

unc_loader_078

VIPKeylogger

38d0a1ad822cd06fdd67d8b118db86088b9f4bdbe98548233643af976f363e69

VIPKeylogger

acdf77f74f6d21c09d55634b1401244b1a18a9bf77fef81d7f7e57e5a3da4d5f

VIPKeylogger

ad959b3d5b0f610f9beb2e627fc32b93997dfc4cad70309c437ed8e2b0718403

VIPKeylogger

error

VIPKeylogger

+ 1'276 additional samples on MalwareBazaar

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery execution keylogger persistence stealer

Link:

https://tria.ge/reports/251208-sle9saypfn/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

VIPKeylogger

Vipkeylogger family

Malware Config

C2 Extraction:

https://api.telegram.org/bot7469710327:AAFd_SRb0l1kKsCUeV6os4r7ufpnbWf2zEk/sendMessage?chat_id=5722673103

Verdict:

Malicious

Tags:

404Keylogger

YARA:

n/a

Link:

https://app.threat.zone/submission/a3912afe-5107-479a-a7cb-8434f461df74

Unpacked files

SH256 hash:

38d0a1ad822cd06fdd67d8b118db86088b9f4bdbe98548233643af976f363e69

MD5 hash:

c42cd7e91e42ec46562bcc1fcb14096a

SHA1 hash:

bdf38e8b540b33756f1521d22ac57deb60ab2cdc

Link:

https://www.unpac.me/results/dab9c363-d8c3-496c-b517-aefafc556dbe/

SH256 hash:

0748253bb84d8fd3277d926bee9aae97560c37921ccb3d1dbf3199fae3e62a20

MD5 hash:

0b2dd04f55951e3d7e42268c47161128

SHA1 hash:

1b4cd4e9944032fe88cac5dc0c5fc46d2189b327

Link:

https://www.unpac.me/results/dab9c363-d8c3-496c-b517-aefafc556dbe/

SH256 hash:

c23bc0d6b6574a53b2cd9de492e59fe98812582daac3cfca6044ee27c72391ef

MD5 hash:

f8712dec7b8eb573203eab8363c9c5ad

SHA1 hash:

a9cfa362601b829cd3a87e5cff52032c8c91bfaf

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/dab9c363-d8c3-496c-b517-aefafc556dbe/

SH256 hash:

a12a6cad33eed9741a60af28e1c0ab2070a730a75971b265a5987f4f7487115e

MD5 hash:

982581743306c4115c3f140b4e99c929

SHA1 hash:

c9e26e300dd29f8610474c1e6dba74f6495912a4

Detections:

win_404keylogger_g1

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/dab9c363-d8c3-496c-b517-aefafc556dbe/

Parent samples :

d05fe01fe172e75cd0b82ddc1a95338cc35ae68ce2d2fea9cb86ea01cf12d49d
38d0a1ad822cd06fdd67d8b118db86088b9f4bdbe98548233643af976f363e69
c212afcf4ae31723c9e917c8a1f88d9d39aabd4c7e7c5fefc97a82ccc71e63c2

Malware family:

VIPKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/38d0a1ad822c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/43376/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample