MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45b84d64980ee2dd76810273f961aa446efee1094ff69a58c9d1e362a5f1a525. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

VIPKeylogger

Vendor detections: 8

Intelligence 8 IOCs YARA 12 File information Comments

SHA256 hash:	45b84d64980ee2dd76810273f961aa446efee1094ff69a58c9d1e362a5f1a525
SHA3-384 hash:	9f8c2a9b23d82a50d005508c26dc1a39ab1e56861c795dbe0351eb26f2b720b3b640f71b50e3cc5d94d3860da5ada025
SHA1 hash:	5e85c9fa3b52efae355a8e5360939a17056c9f72
MD5 hash:	8b9e76abaee93c72006fa1f71d97e477
humanhash:	louisiana-virginia-alaska-fourteen
File name:	SNKO05B241100201.zip
Download:	download sample
Signature	VIPKeylogger Create hunting rule
File size:	655'558 bytes
First seen:	2025-03-10 13:23:25 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	12288:1xaoIr3znWLaOTnZg9xk1+dR2OQpznfnJd1DJed7kL5hPgp+1fl:9IWpmA+dgJNfnJd1kd7kL5hYpUt
TLSH	T101D42300D1F2A2CD2E3F462F15FDE03257267073361A460EF668DB6CA590EF8E96E945
Magika	zip
Reporter	cocaman
Tags:	VIPKeylogger zip

cocaman

Malicious email (T1566.001)
From: "Anik Dhar <anik@globelink.biz>" (likely spoofed)
Received: "from globelink.biz (unknown [195.211.191.34]) "
Date: "10 Mar 2025 06:44:59 -0700"
Subject: "RE: PRE-SHIPMENT ADVICE -ASN LOGISTICS....BL NO - SNKO05B241100201"
Attachment: "SNKO05B241100201.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

261

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	SNKO05B241100201.exe
File size:	694'272 bytes
SHA256 hash:	35ec397eea9d33a1ad18da5f55087a53a47771a8c74a85894eec1c133c085923
MD5 hash:	7a3fe7b37dd00e2ee171c9cd338cbe57
MIME type:	application/x-dosexec
Signature	VIPKeylogger

Vendor Threat Intelligence

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67cef4eb1f777fe30608b10a

Tags:

backdoor micro shell

Result

Verdict:

Unknown

File Type:

PE File

Link:

https://app.docguard.net/45b84d64980ee2dd76810273f961aa446efee1094ff69a58c9d1e362a5f1a525/results/dashboard

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/67cee8093c5f644bd94b4616/reports/7a5e3d01-98bf-4f3a-8a11-607a03afa6a9/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/45b84d64980ee2dd76810273f961aa446efee1094ff69a58c9d1e362a5f1a525

Result

Verdict:

UNKNOWN

Link:

https://labs.inquest.net/dfi/sha256/45b84d64980ee2dd76810273f961aa446efee1094ff69a58c9d1e362a5f1a525

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Score:

100%

Verdict:

Malware

File Type:

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery execution keylogger spyware stealer

Link:

https://tria.ge/reports/250310-rskx6sxry8/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

VIPKeylogger

Vipkeylogger family

Malware Config

C2 Extraction:

https://api.telegram.org/bot8019869757:AAFZ9XHN-49qRW4hpU6dvLTFC3DhSZuSUNk/sendMessage?chat_id=5649235024

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/45b84d64980ee2dd76810273f961aa446efee1094ff69a58c9d1e362a5f1a525

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Suspicious_Latam_MSI_and_ZIP_Files Create hunting rule
Author:	eremit4, P4nd3m1cb0y
Description:	Detects suspicious .msi and .zip files used in Latam banking trojan campaigns.

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)