MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f3847aaddec3a20df952aab271926683dd771643ad091b0fd5ba8f359f54589. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f3847aaddec3a20df952aab271926683dd771643ad091b0fd5ba8f359f54589
SHA3-384 hash: d5089ad9e81b9d380718c18fe6aa41a7d64381f0c0e27f14ca947879ce37a90dead289a8bc499a9155762c9a79fb2373
SHA1 hash: a133f2991752997b9bfc4bb0c303da5d869983c2
MD5 hash: 9a404d448bd594d7c4e0b5eb79003611
humanhash: october-robin-don-nitrogen
File name:Teklif TalebiRFQ-25-004668.exe
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:691'712 bytes
First seen:2025-03-24 12:19:47 UTC
Last seen:2025-03-24 12:21:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:rDXLCspC28VPTODf8rZMoMYn6QsS8d9ApaIVRsSAeg4iYoGh2vwN5wksk:XXLCsQVqb8+vYn8UpaBehoQ24NF
Threatray 4'591 similar samples on MalwareBazaar
TLSH T15AE412AC6584DD2EDDC413710932EBF65139AEAEE805C393CEECBC977A02319791D690
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe geo TUR VIPKeylogger

Intelligence

File Origin
# of uploads :
3
# of downloads :
377
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Teklif TalebiRFQ-25-004668.exe
Verdict:
Malicious activity
Analysis date:
2025-03-25 07:03:19 UTC
Tags:
evasion snake keylogger telegram stealer ims-api generic
Link:
https://app.any.run/tasks/501593e5-4210-485e-93e5-5cf634a6c531

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e24bb2bb84e066269ed882
Tags:
keylog spawn word
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Stealing user critical data
Adding an exclusion to Microsoft Defender
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67e14e22de7b23ce171da52d/reports/97c6a4a5-7b55-4930-ac5b-4501dbf3d84d/overview
Verdict:
Malicious
Labled as:
Trojan.GenericS
Link:
https://www.hybrid-analysis.com/sample/5f3847aaddec3a20df952aab271926683dd771643ad091b0fd5ba8f359f54589
Result
Verdict:
MALICIOUS
Result
Threat name:
VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1647022
Behaviour
Behavior Graph:
n/a
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5f3847aaddec3a20df952aab271926683dd771643ad091b0fd5ba8f359f54589
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f3847aaddec3a20df952aab271926683dd771643ad091b0fd5ba8f359f54589/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-03-19 17:27:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l44epkw55q5cbx4vfkvsogjgna65o4lehlijdmh5loupgwpviweq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
vipkeylogger
Create hunting rule
Similar samples:
1165717b02389369d7ab9514eb0dcec76800a5e5d4764922b88bcb73e46ae279
VIPKeylogger
2fee9e3c6155c5716c179eec08819cd55bc5dc1171cb7ad47036ece432cfb1ef
VIPKeylogger
46811ff66868e4f3febe3a5f2374997ea2b1d407f15ffc269444b6fbc431dda1
VIPKeylogger
4a4ba7d3ee33b946c726769f6251c1adb4bfd6bc90e679ea3ae394c9117174ca
VIPKeylogger
5ce0f0aea4c4aae607838cd574a6860e8745ed8eade9dc6156864ac5c521c944
VIPKeylogger
e5c3febab37a06659361fbfb93aff167b685270ba63a71a86fa9892379abfbf3
VIPKeylogger
error
VIPKeylogger
+ 4'581 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger spyware stealer
Link:
https://tria.ge/reports/250324-phzmgaztc1/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
VIPKeylogger
Vipkeylogger family
Verdict:
Malicious
Tags:
404keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/1708c0c7-2981-4d1d-a24a-195de9f70fb4
Unpacked files
SH256 hash:
03075c74d71a232eea76a19c574be00793e2a220e8eed33a2931871550b4fd88
MD5 hash:
52cec6a47d7e6b989efd9c6d782bf109
SHA1 hash:
17ab001a30d82609a227601b39c793f885b6580b
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/35c86084-32cd-4d00-80c7-8d66a20f7a18/
SH256 hash:
6cc675383d39a3e65382c233178eff7d36028ce1e7c0cb49e6ba7028801ea88f
MD5 hash:
f28afb1dbf2153165c7deacc59d652b5
SHA1 hash:
492b84fcd0f99abf787fd3e6e3c5c7c1138f23c0
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/35c86084-32cd-4d00-80c7-8d66a20f7a18/
Parent samples :
23fa78e02d1a9efdc334e21810403ca734bf6d874fb8953969c3819ebe6e9d64
48e453efa8b657ca3d61c6f287bf0c9f8c1b58a226558eaf5170d4f8aeffa80a
2bddc691ac1e13d8f9c9dcf3bbee24b74f058d009eca808565713e8584935336
52b4d7823920d16c025377a31d30c8241919f4c435ee9e973e1e4e7e10301175
e8bbe027f2c39bba3aceb23f86f97ceda9eeb24fc3d4ae3cb9ebf4cd5ee8cd2b
311a1b25e9e43bad0b8e042cc70f13dc836775cbeb2ba8dc534e55830eb43d5c
074b2b30aaa8e0e7eb1c9362a7f995e69ff229cd202016d39aedd7151cbb4f3c
5f3847aaddec3a20df952aab271926683dd771643ad091b0fd5ba8f359f54589
SH256 hash:
782ff1f686e458f9ffdd989555f1457fb6a86653645a06bb266a1b742e8fc4ee
MD5 hash:
9d19033e6a0922eab6cc70033c6c4b36
SHA1 hash:
ff0b2df9d621ddcf5cfb2d9b5692c0dfbf1c86d7
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/35c86084-32cd-4d00-80c7-8d66a20f7a18/
Parent samples :
50e5353cf814e1f75d7c18a99c897670905b7e119d5d02cb532e0466819d68ba
3600d33c7e14a371b391e1e949a16454a26014007dca981bdcd177dbd234f797
5f3847aaddec3a20df952aab271926683dd771643ad091b0fd5ba8f359f54589
SH256 hash:
5f3847aaddec3a20df952aab271926683dd771643ad091b0fd5ba8f359f54589
MD5 hash:
9a404d448bd594d7c4e0b5eb79003611
SHA1 hash:
a133f2991752997b9bfc4bb0c303da5d869983c2
Link:
https://www.unpac.me/results/35c86084-32cd-4d00-80c7-8d66a20f7a18/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f3847aaddec3a20df952aab271926683dd771643ad091b0fd5ba8f359f54589

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

VIPKeylogger

Executable exe 5f3847aaddec3a20df952aab271926683dd771643ad091b0fd5ba8f359f54589

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments