MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5835857507ffd6d949bf2f69e45d965c859ca5791d496e82135ffd9083062bed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5835857507ffd6d949bf2f69e45d965c859ca5791d496e82135ffd9083062bed
SHA3-384 hash: 2b84d40b8ce20e45b88c9c3515c4ea9402b80085fc6923caccc4cf17e34c16420246e6a4bc13b4fa95207fb69e672ff0
SHA1 hash: a02b371d995d0782224696ae5ba7e13d2a94bffa
MD5 hash: b1a828ce729a9694d943825cd861f7e4
humanhash: jig-seventeen-louisiana-illinois
File name:DHL НАПОМНИТЕЛНО ПИСМО - 1004734260.vbs
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:324'935 bytes
First seen:2025-09-30 06:26:25 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:e2a3CoPk+RY4MsNOByqL/P72rpEkcShbjODkMz3hguj8Yn34AEpuxU:e2a3Cz1u7kXarikcShbjWz378Y3pQZ
Threatray 1'583 similar samples on MalwareBazaar
TLSH T14164DBEA2DC60FA61A101FFF62F11DDF1D919292FA44E16879917CE1A31223C5F7868C
Magika vba
Reporter abuse_ch
Tags:DHL vbs VIPKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
46
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
VIPKeyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29535/
Detection(s):
SecuriteInfo.com.BAT.Shell-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68db784840b7da0b4eb8d081
Tags:
autorun spam
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 evasive masquerade obfuscated powershell
Link:
https://www.filescan.io/uploads/68db78f6c564c8e81d0a9a45/reports/4c3ea3e2-516e-4df7-8e2b-aeb4e6ee43fa/overview
Verdict:
Suspicious
Labled as:
TrojanDropper/VBS.Agent
Link:
https://www.hybrid-analysis.com/sample/5835857507ffd6d949bf2f69e45d965c859ca5791d496e82135ffd9083062bed
Verdict:
Malicious
File Type:
vbs
First seen:
2025-09-30T01:44:00Z UTC
Last seen:
2025-09-30T01:44:00Z UTC
Hits:
~1000
Detections:
Trojan.PowerShell.AmsiBypass.sb Trojan-Downloader.JS.Cryptoload.sb PDM:Trojan.Win32.Generic HEUR:Trojan.BAT.Tesre.gen Trojan.JS.SAgent.sb HEUR:Trojan.VBS.SAgent.gen HEUR:Trojan.Script.Generic HEUR:Trojan.PowerShell.Tesre.sb HEUR:Trojan-Downloader.Script.Generic Trojan.BAT.Agent.sb
Link:
https://opentip.kaspersky.com/5835857507ffd6d949bf2f69e45d965c859ca5791d496e82135ffd9083062bed/results?tab=lookup
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1786420
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Creates processes via WMI
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1786420 Sample: 041e#U041c#U041d#U0418#U042... Startdate: 30/09/2025 Architecture: WINDOWS Score: 100 113 reallyfreegeoip.org 2->113 115 api.telegram.org 2->115 117 4 other IPs or domains 2->117 135 Suricata IDS alerts for network traffic 2->135 137 Found malware configuration 2->137 139 Malicious sample detected (through community Yara rule) 2->139 145 16 other signatures 2->145 10 wscript.exe 1 2->10         started        14 cmd.exe 1 2->14         started        16 cmd.exe 1 2->16         started        18 8 other processes 2->18 signatures3 141 Tries to detect the country of the analysis system (by using the IP) 113->141 143 Uses the Telegram API (likely for C&C communication) 115->143 process4 dnsIp5 89 C:\Users\Public\StreamProperty6870.bat, ASCII 10->89 dropped 151 Wscript starts Powershell (via cmd or directly) 10->151 153 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->153 155 Suspicious execution chain found 10->155 157 Creates processes via WMI 10->157 21 cmd.exe 1 10->21         started        24 cmd.exe 1 14->24         started        26 conhost.exe 14->26         started        28 cmd.exe 1 16->28         started        30 conhost.exe 16->30         started        119 127.0.0.1 unknown unknown 18->119 32 cmd.exe 1 18->32         started        34 cmd.exe 18->34         started        36 cmd.exe 18->36         started        38 11 other processes 18->38 file6 signatures7 process8 signatures9 147 Suspicious powershell command line found 21->147 149 Wscript starts Powershell (via cmd or directly) 21->149 40 cmd.exe 1 21->40         started        42 conhost.exe 21->42         started        44 cmd.exe 1 24->44         started        47 cmd.exe 1 28->47         started        49 cmd.exe 1 32->49         started        51 cmd.exe 34->51         started        53 cmd.exe 36->53         started        55 cmd.exe 38->55         started        57 3 other processes 38->57 process10 signatures11 59 cmd.exe 2 40->59         started        167 Suspicious powershell command line found 44->167 169 Wscript starts Powershell (via cmd or directly) 44->169 62 powershell.exe 44->62         started        66 conhost.exe 44->66         started        68 2 other processes 47->68 70 2 other processes 49->70 72 2 other processes 51->72 74 2 other processes 53->74 76 2 other processes 55->76 78 6 other processes 57->78 process12 dnsIp13 159 Suspicious powershell command line found 59->159 161 Wscript starts Powershell (via cmd or directly) 59->161 80 powershell.exe 16 29 59->80         started        85 conhost.exe 59->85         started        121 193.122.130.0, 49712, 80 ORACLE-BMC-31898US United States 62->121 91 C:\Users\user\AppData\Roaming\...\9a80.bat, ASCII 62->91 dropped 163 Tries to steal Mail credentials (via file / registry access) 62->163 165 Tries to harvest and steal browser information (history, passwords, etc) 62->165 123 mail.crestforce.net 124.217.241.153, 49730, 49738, 49759 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 68->123 125 api.telegram.org 149.154.167.220, 443, 49724, 49736 TELEGRAMRU United Kingdom 68->125 93 C:\Users\user\AppData\Roaming\...\860d.bat, ASCII 68->93 dropped 95 C:\Users\user\AppData\Roaming\...\c83b.bat, ASCII 70->95 dropped 97 C:\Users\user\AppData\Roaming\...\bf3f.bat, ASCII 72->97 dropped 99 C:\Users\user\AppData\Roaming\...\8560.bat, ASCII 74->99 dropped 101 C:\Users\user\AppData\Roaming\...\cb95.bat, ASCII 76->101 dropped 103 C:\Users\user\AppData\Roaming\...\fb70.bat, ASCII 78->103 dropped 105 C:\Users\user\AppData\Roaming\...\a0c5.bat, ASCII 78->105 dropped 107 C:\Users\user\AppData\Roaming\...\793f.bat, ASCII 78->107 dropped file14 signatures15 process16 dnsIp17 109 checkip.dyndns.com 132.226.8.169, 49683, 49693, 49695 UTMEMUS United States 80->109 111 reallyfreegeoip.org 172.67.177.134, 443, 49692, 49694 CLOUDFLARENETUS United States 80->111 87 C:\Users\user\AppData\Roaming\...\d17a.bat, ASCII 80->87 dropped 127 Drops script or batch files to the startup folder 80->127 129 Tries to steal Mail credentials (via file / registry access) 80->129 131 Found suspicious powershell code related to unpacking or dynamic code loading 80->131 133 Loading BitLocker PowerShell Module 80->133 file18 signatures19
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/5835857507ffd6d949bf2f69e45d965c859ca5791d496e82135ffd9083062bed
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5835857507ffd6d949bf2f69e45d965c859ca5791d496e82135ffd9083062bed/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/5835857507ffd6d949bf2f69e45d965c859ca5791d496e82135ffd9083062bed
Threat name:
Script-WScript.Spyware.Negasteal
Create hunting rule
Status:
Suspicious
First seen:
2025-09-30 06:30:46 UTC
File Type:
Text
AV detection:
9 of 24 (37.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=la2yk5ih77lnssn7f5u6ixmwlsczzjlzdvew5aqtl76zbaygfpwq._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
Similar samples:
044d63ab7ef7390e0db6d6809165edaefc81b164e32ccb8f6bc522a746254f3f
VIPKeylogger
13daad4c1352c39e0372e14c5e87e8b51f3a7ace5a0fe04d220d583b260d1697
VIPKeylogger
1eeefad3b4af3c0592006bbf93b5ef9c958d72470aa26bb2c042f5e3966eb059
VIPKeylogger
864c37e89869ea3662f720df0acabf8cee0c861b5b908515f805746b432a7260
VIPKeylogger
94dde278918e0eab10c0a5818653f73a779d19632fa3f6e603f146bcf709e732
VIPKeylogger
95395d7084066ff82bbb48afaa5148d172d3cb021387792262070071d517b5f0
VIPKeylogger
9f298889e338ec83549b41aa0e20713bf17a81afe6dcce141e5085c3a4e2e8af
VIPKeylogger
b355c43bd26f9727f4a9461afe6ee78995deceb671ebfddc6f7cf895cc663a02
VIPKeylogger
bc9850a2d113f4653d3e20d7d09054240d88a74a2157fd213a6433a489d9b81d
VIPKeylogger
dfa331f1fd51ebe6f1d20c667a0bf42c27d634f3d0135aef4ad7c1579d43cdbd
VIPKeylogger
error
VIPKeylogger
+ 1'573 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger stealer
Link:
https://tria.ge/reports/250930-g9bqqabq3s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Drops startup file
Badlisted process makes network request
Process spawned unexpected child process
VIPKeylogger
Vipkeylogger family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5835857507ffd6d949bf2f69e45d965c859ca5791d496e82135ffd9083062bed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/29535/

Comments