MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f46a75587e018a147f031be7f79a40aced7c86a6d1313fd34df8cdafec90376. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

VIPKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 8 File information Comments

SHA256 hash:	3f46a75587e018a147f031be7f79a40aced7c86a6d1313fd34df8cdafec90376
SHA3-384 hash:	2bed79349e6df5c0d1333567f27736a3baaf9f8d2db3ccd5cbd3121f7d9bc91e479b2c22cd2bb8d4becf497e148d0262
SHA1 hash:	43e149d8a902c64193cb32ce297e827db8a13139
MD5 hash:	2cbfc53f168a35882cc09ccf038553bd
humanhash:	golf-mockingbird-comet-zulu
File name:	#4567890012.exe
Download:	download sample
Signature	VIPKeylogger Create hunting rule
File size:	827'400 bytes
First seen:	2025-08-19 13:30:22 UTC
Last seen:	2025-09-05 12:53:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:43HUaiGDh7z+yGWg5B87goNT5t3HptleP5Xl5jG5vgtChan29uylkwAmwoVlJkR:AUaxe87PT3JtsP515jcYtD
Threatray	3'307 similar samples on MalwareBazaar
TLSH	T15205CF9C3210B59EC867C9728E64ED74E6646CAA530BD20391E31DEFBD0DA96CF141E3
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	James_inthe_box
Tags:	exe sam--plywoodhanglin-com VIPKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

#4567890012.exe

Verdict:

Malicious activity

Analysis date:

2025-08-19 13:31:56 UTC

Tags:

netreactor evasion snake keylogger telegram stealer exfiltration smtp

Link:

https://app.any.run/tasks/4c3d3714-c76f-41c8-bd54-24b831cc4c72

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/22160/

Verdict:

Clean

Score:

N/A%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a47c97c2f5296a1a284a74

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a process with a hidden window

Launching a process

Creating a file

Сreating synchronization primitives

Forced shutdown of a system process

Adding an exclusion to Microsoft Defender

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

confuserex confuserex expired-cert invalid-signature obfuscated obfuscated packed signed vbnet

Link:

https://www.filescan.io/uploads/68a47c94a4bdac9f5b9e5ea9/reports/6a813b06-fae5-49c2-82f6-6f7eb7940f42/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/3f46a75587e018a147f031be7f79a40aced7c86a6d1313fd34df8cdafec90376

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/c5b26fd8-c2a1-4e87-b4b9-e607a7b667d9

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3f46a75587e018a147f031be7f79a40aced7c86a6d1313fd34df8cdafec90376

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3f46a75587e018a147f031be7f79a40aced7c86a6d1313fd34df8cdafec90376/

Verdict:

Malicious

Threat:

Family.SNAKE

Link:

https://tip.neiki.dev/file/3f46a75587e018a147f031be7f79a40aced7c86a6d1313fd34df8cdafec90376

Threat name:

Win32.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-08-19 13:20:45 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=h5dkovmh4amkcr7qgg7h66neblhnpsdknujrh7ju36gnv7wjan3a._file

Verdict:

malicious

Label(s):

vipkeylogger

unc_loader_037

VIPKeylogger

7c570b8b4d6d3a57d84b6a9b9f57860f542608346b2cf54d6f8d4e8f2710dc1a

VIPKeylogger

db7c69795df802060ba5ffc482dccfe9d35881974920462987573c6efb61abe0

VIPKeylogger

dfbdcb71083d3e4f696c081707f8c980f8e84466693ccf4607417d55f10b47cd

VIPKeylogger

error

VIPKeylogger

f25c044dd471991df3a8fd7ffdd3b0298454309d93882958afa02533d2e93e05

VIPKeylogger

f7d2aeb3c3f8d1bec48bbf92745cc52825a00a57dcda82d2b4ac2f09c87f373c

VIPKeylogger

+ 3'297 additional samples on MalwareBazaar

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection defense_evasion discovery execution keylogger stealer

Link:

https://tria.ge/reports/250819-qr9dpstzas/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Modifies trusted root certificate store through registry

VIPKeylogger

Vipkeylogger family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/35f1d7d8-70e4-431c-8801-76396f1b442e

Unpacked files

SH256 hash:

3f46a75587e018a147f031be7f79a40aced7c86a6d1313fd34df8cdafec90376

MD5 hash:

2cbfc53f168a35882cc09ccf038553bd

SHA1 hash:

43e149d8a902c64193cb32ce297e827db8a13139

Link:

https://www.unpac.me/results/08d31d3b-1cb3-494b-b93d-5b37a90bba04/

SH256 hash:

27e5ffda53751e7360f380bd82a3176a7875a555f6af5b130fb2d64ff776c895

MD5 hash:

68845a1d0f6c65bb7ecc09ca76d2f005

SHA1 hash:

0145c4314c2cf41ae583bb32784fe780c1cdaf1d

Link:

https://www.unpac.me/results/08d31d3b-1cb3-494b-b93d-5b37a90bba04/

SH256 hash:

432268b926c1061c8ffb45c3f3a7764c8bcf3904ef68f3fd4445bf449cc29439

MD5 hash:

0db2259567514ee489f2c5cde524cf42

SHA1 hash:

35b81599c650121b9df346bdd00948580588f4a2

Detections:

win_404keylogger_g1

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/08d31d3b-1cb3-494b-b93d-5b37a90bba04/

Parent samples :

ffc45b80b1fc40415c69b170cdf563b268bfb5653e17c83f6d3722b7f6cfe391
3f46a75587e018a147f031be7f79a40aced7c86a6d1313fd34df8cdafec90376
ed67e313856d24ddff3ab5d32f7c008091dba877cc81c20f231915ddc47aa495
d9b561166f1a4217a18c9af81de9dbf9df53a86747993a7c931535761df37f42
9454ed7dab210e18bef21b1c59a2736a65ced61892df6299fdcf743cce638bcf

SH256 hash:

2719a3160f9768ab2819b4620a2cdc01437cc8e35f4158b6b6cb4360de463012

MD5 hash:

b133167146989a3ddbebca65d573115c

SHA1 hash:

dea4f3814542a6ebf901aa8f6e0f5b2732701663

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/08d31d3b-1cb3-494b-b93d-5b37a90bba04/

Malware family:

zgRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3f46a75587e0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3f46a75587e018a147f031be7f79a40aced7c86a6d1313fd34df8cdafec90376

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/22160/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample