MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 687e8747abfc36f1ad89e220d1f59c89e3214c71a98ec65417d486daa87eef8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

VIPKeylogger

Vendor detections: 17

Intelligence 17 IOCs YARA 4 File information Comments

SHA256 hash:	687e8747abfc36f1ad89e220d1f59c89e3214c71a98ec65417d486daa87eef8f
SHA3-384 hash:	2ec8f9a3f794c990534b9685329edacb9ae15689c807d27d44cdb926192210b9159409e6b67702c9a32a5b1779509645
SHA1 hash:	0a3adfd247a08624cd82a7166ee539b6afd4db83
MD5 hash:	c456f10243e43a0b0a6586e72c284346
humanhash:	fish-sweet-florida-cold
File name:	687e8747abfc36f1ad89e220d1f59c89e3214c71a98ec65417d486daa87eef8f
Download:	download sample
Signature	VIPKeylogger Create hunting rule
File size:	1'097'216 bytes
First seen:	2026-05-08 13:27:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'916 x AgentTesla, 19'820 x Formbook, 12'309 x SnakeKeylogger)
ssdeep	24576:hLMkNvULYmcs63pGo1IDjgGYSHgODgmJKlusF74tUwIM:qkNGEsKpH1SgGYSAOMmJeJFnxM
TLSH	T16535125C36559B03E9A61BF80972F23527B90D9FA812D30E9FE87CEBB561B114D24383
TrID	73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	exe VIPKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

134

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

RoboSki

Details

Link:

https://research.acce.ciphertechsolutions.com/results/da8c4164-e029-429d-a853-bf4eb05066b8/

Malware family:

n/a

ID:

File name:

_687e8747abfc36f1ad89e220d1f59c89e3214c71a98ec65417d486daa87eef8f.exe

Verdict:

Malicious activity

Analysis date:

2026-05-08 13:55:50 UTC

Tags:

evasion auto-startup snake keylogger telegram stealer spyware susp-lnk

Link:

https://app.any.run/tasks/b04248e5-4803-4107-99df-11b4d753cf7b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

VIPKeyLogger

Link:

https://www.capesandbox.com/analysis/65343/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.3207.854.24794.UNOFFICIAL

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a service

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

krypt lolbin obfuscated packed tracker vbnet

Link:

https://www.filescan.io/uploads/69fde5172fcb905ec2888651/reports/41912521-4020-429f-9003-ead565fca129/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/687e8747abfc36f1ad89e220d1f59c89e3214c71a98ec65417d486daa87eef8f

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-04-21T03:31:00Z UTC

Last seen:

2026-05-09T07:33:00Z UTC

Hits:

~1000

Detections:

Trojan.MSIL.Inject.sb Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.Stealer.sb HEUR:Trojan-Spy.MSIL.Agent.sb PDM:Trojan.Win32.Generic Trojan.Win32.Agent.sb Trojan.MSIL.Crypt.sb Trojan.MSIL.Agent.sb HEUR:Trojan.MSIL.PowerShell.gen

Link:

https://opentip.kaspersky.com/687e8747abfc36f1ad89e220d1f59c89e3214c71a98ec65417d486daa87eef8f/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/37f901d0-3cf5-48d6-b4ff-ff1da8cf9df0

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/687e8747abfc36f1ad89e220d1f59c89e3214c71a98ec65417d486daa87eef8f

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/687e8747abfc36f1ad89e220d1f59c89e3214c71a98ec65417d486daa87eef8f/

Verdict:

Malicious

Threat:

Family.SNAKE

Link:

https://tip.neiki.dev/file/687e8747abfc36f1ad89e220d1f59c89e3214c71a98ec65417d486daa87eef8f

Threat name:

ByteCode-MSIL.Trojan.SnakeKeyLogger

Status:

Malicious

First seen:

2026-04-21 12:45:56 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 36 (69.44%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nb7ior5l7q3pdlmj4iqnd5m4rhrsctdrvghmmvax2sdnvkd656hq._file

Verdict:

malicious

Label(s):

xworm

vipkeylogger

Similar samples:

error

VIPKeylogger

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery execution keylogger spyware stealer

Link:

https://tria.ge/reports/260508-qrlmmshx5t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Drops startup file

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

Family: VIPKeylogger

Unpacked files

SH256 hash:

687e8747abfc36f1ad89e220d1f59c89e3214c71a98ec65417d486daa87eef8f

MD5 hash:

c456f10243e43a0b0a6586e72c284346

SHA1 hash:

0a3adfd247a08624cd82a7166ee539b6afd4db83

Link:

https://www.unpac.me/results/27cd5c00-4ff3-4531-9905-4e6b974716ab/

SH256 hash:

aac4273e62797013173d25313f4ea87aa8b0d2e57e9fb064218658c664ea5a11

MD5 hash:

f652dc1940ef5e8ea094419267ed2127

SHA1 hash:

321272dc69c64b8cb75bf41c08090ec23970f40a

Link:

https://www.unpac.me/results/27cd5c00-4ff3-4531-9905-4e6b974716ab/

SH256 hash:

95892f0bc179246961e3cf5eeac444143a4f9b455ab740746dad3ecc32c93e62

MD5 hash:

694c313b660123f393332c2f0f7072b5

SHA1 hash:

ee790ec841b7761679a05771d551a154c7f87a93

Detections:

win_404keylogger_g1

win_masslogger_w0

triage_snakekeylogger_infostealer

Link:

https://www.unpac.me/results/27cd5c00-4ff3-4531-9905-4e6b974716ab/

Parent samples :

9a0d20eec0a1e89a656a76aee82bf0619d8b83a0b445e095de190436dd110f42
256b9eb0b0ef69eeee00712c0e9fab59601934633f2bb6d0a0b10ac04bd5b2ab
75cc0d7abb4cb0145f0dc0639fbee4be7925dd45a38664e063095963c482ea78
68d311ac923f8a0854dbfa4d1401c84db61a2c530ec3fb6e1994a690fdfdd38d
5d67d216226094ebbc78b8c39e49b758e0b1624f904e2b6748bcfb39df8d6ed3
ceaa3016ce3897c17e580b58f2a41cc247de57bada3271b30aa389bcf3787ea0
553d904e1d73497fc05af9b9fa570cd6ea72043a445b2c358ce27bc84d28d226
f67799cd9ce6b4691134db9c85bab1ed79cb17d6b9b805916f118251b0d0f1e8
14b61a0155007f6e19dd356eb215652c7eb5dba764e5f059f3e37cbd273c3daa
55b98e06e135730fa23bd4af65b161ba5055a9e915164eb99b9402ad07e6e6df
141fcfa2abaae31d65da4145a537bfe13dd01ec9759d3bc1f6dd8d5ba5c1ff26
ba19434fbc08324b9a2e9ef01c34ce3818a3480f1efa03b864a38931d6d64642
364e64c2f1efc897342a41c5389f83d86cbc6b56e39abcd2a5e48e1a67fa1fae
3a0655a9973e8d7600f228240e1c3494b0acc55f46f218f42c12138d8ab73014
24d6cbd8f4eb920651f82adb1288cd4d5227f6bcd8fe71341ebdeb434bbfae01
dbd4edd258813db2cac4abddb2a4230b62874591c09daa6ffbcd5c9022ebd042
1439e036d8b04775d5462e7dbbb6e0b90e7668545f7ca5dae2aac74e84b184aa
95a769c7e3b0b372e3e4d9534127d61fdeef9186ccc99ed88cba00423178da29
5996e210f83d265a0c745ff669c388a834aedd25426ecee6ddc59111d06eefb0
ff073aa55a06e3bebaf00eb6ddb92061e2a37ecd59b6c4f3a244b75c486e2311
687e8747abfc36f1ad89e220d1f59c89e3214c71a98ec65417d486daa87eef8f

SH256 hash:

2b982a856df29ba12dc5a81e5a19d6b7e106f5f6f7ce3baeff263497afe732ec

MD5 hash:

f6782553574488ead1c850b1368f6183

SHA1 hash:

fb578cbae4a51d6dceb5ae3dc358f56066a97259

Link:

https://www.unpac.me/results/27cd5c00-4ff3-4531-9905-4e6b974716ab/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/687e8747abfc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/687e8747abfc36f1ad89e220d1f59c89e3214c71a98ec65417d486daa87eef8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/65343/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample