MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b8fb5faa31496f1f48bdaf1ee7e6f850f631b0b45015ccf31e55cc5b7105c00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

VIPKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	4b8fb5faa31496f1f48bdaf1ee7e6f850f631b0b45015ccf31e55cc5b7105c00
SHA3-384 hash:	c3175ebdd41ca67a8ac20c86bc7fa51846e4f562f403cb9cbb6164cc8dbc7f79e64c990ff5267aacb9194cab2bf4ae3a
SHA1 hash:	f429dac490fa8222b4c3a1730f7dad725f86edb0
MD5 hash:	5ae11e30aca6c3fe3046794d365922b4
humanhash:	hawaii-cup-papa-queen
File name:	Request for Quotation EQRFQ2025407WAA.bat
Download:	download sample
Signature	VIPKeylogger Create hunting rule
File size:	312'001 bytes
First seen:	2025-09-30 07:21:17 UTC
Last seen:	Never
File type:	bat
MIME type:	text/plain
ssdeep	3072:Uunmg1XZioEfUfg9jUOr6M9iKdWAuniIbt1uaon5QY1O7c:JNZUU0GM4dAlIbt1ud5LD
Threatray	1'587 similar samples on MalwareBazaar
TLSH	T19564B8EA2CC61FA20A401FFB62F11DEF1D9592D2F644E16879917CE1631223C5F78A9C
Magika	batch
Reporter	Anonymous
Tags:	bat VIPKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

RequestforQuotationEQRFQ2025407WAA.bat

Verdict:

Malicious activity

Analysis date:

2025-09-30 07:24:48 UTC

Tags:

evasion snake keylogger telegram stealer susp-powershell

Link:

https://app.any.run/tasks/dfbc7e7a-77cf-4782-af4e-a7da59b9e4ba

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

VIPKeyLogger

Link:

https://www.capesandbox.com/analysis/29540/

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68db84f57d643f33eab8c931

Tags:

obfuscate xtreme shell

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

base64 evasive obfuscated powershell

Link:

https://www.filescan.io/uploads/68db84fa3cbcc188f8eb7763/reports/2eb392ad-1dda-43c5-a4ac-e069f3d180c7/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/4b8fb5faa31496f1f48bdaf1ee7e6f850f631b0b45015ccf31e55cc5b7105c00

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-09-30T00:37:00Z UTC

Last seen:

2025-09-30T00:37:00Z UTC

Hits:

~100

Detections:

PDM:Trojan.Win32.Generic HEUR:Trojan.BAT.Tesre.gen Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.Stealer.sb Trojan.BAT.Agent.sb HEUR:Trojan.PowerShell.Tesre.sb Trojan.PowerShell.AmsiBypass.sb

Link:

https://opentip.kaspersky.com/4b8fb5faa31496f1f48bdaf1ee7e6f850f631b0b45015ccf31e55cc5b7105c00/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/4b8fb5faa31496f1f48bdaf1ee7e6f850f631b0b45015ccf31e55cc5b7105c00

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4b8fb5faa31496f1f48bdaf1ee7e6f850f631b0b45015ccf31e55cc5b7105c00/

Verdict:

Malicious

Threat:

Family.SNAKE

Link:

https://tip.neiki.dev/file/4b8fb5faa31496f1f48bdaf1ee7e6f850f631b0b45015ccf31e55cc5b7105c00

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2025-09-30 04:44:49 UTC

File Type:

Text (Batch)

AV detection:

6 of 24 (25.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=joh3l6vdcslpd5el3ly647tpquhwggyliuavztzr4vomlnyqlqaa._file

Verdict:

malicious

Label(s):

vipkeylogger

VIPKeylogger

5835857507ffd6d949bf2f69e45d965c859ca5791d496e82135ffd9083062bed

VIPKeylogger

864c37e89869ea3662f720df0acabf8cee0c861b5b908515f805746b432a7260

VIPKeylogger

94dde278918e0eab10c0a5818653f73a779d19632fa3f6e603f146bcf709e732

VIPKeylogger

9f298889e338ec83549b41aa0e20713bf17a81afe6dcce141e5085c3a4e2e8af

VIPKeylogger

b355c43bd26f9727f4a9461afe6ee78995deceb671ebfddc6f7cf895cc663a02

VIPKeylogger

bc9850a2d113f4653d3e20d7d09054240d88a74a2157fd213a6433a489d9b81d

VIPKeylogger

de054d8f9b649022d29cfcf89c05e8468e765fb5a5543d25abe29b9e41a3abae

VIPKeylogger

dfa331f1fd51ebe6f1d20c667a0bf42c27d634f3d0135aef4ad7c1579d43cdbd

VIPKeylogger

error

VIPKeylogger

fe386321400e854668b2d82cb426c25936969b2c078d693a3d1290cc0634cfe9

VIPKeylogger

+ 1'577 additional samples on MalwareBazaar

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery execution keylogger stealer

Link:

https://tria.ge/reports/250930-h6vj4astgt/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

System Location Discovery: System Language Discovery

Accesses Microsoft Outlook profiles

Command and Scripting Interpreter: PowerShell

Looks up external IP address via web service

Badlisted process makes network request

VIPKeylogger

Vipkeylogger family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4b8fb5faa31496f1f48bdaf1ee7e6f850f631b0b45015ccf31e55cc5b7105c00

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/29540/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample