MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69e96604cdcbac20930473ca5b26f804b82ccf14269dbf92d1e83e573048895c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69e96604cdcbac20930473ca5b26f804b82ccf14269dbf92d1e83e573048895c
SHA3-384 hash: ca36c7449187292cf68be24344c796c697ce47a58e0ccbc15f090a3cd1a54d6c51a491b760be3c4ea01a17c3542b6d80
SHA1 hash: 6f1c8f7ec634c8c9c3ede434fd0a3c435627cd75
MD5 hash: b1d2e5ef246d094670ccf60de37b46fd
humanhash: item-pip-tango-yellow
File name:RFQ SPECS & DATASHEET.js
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:384'632 bytes
First seen:2025-11-18 06:53:46 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 6144:p8IEJbt1ZDb35gvDP4GPZUdS/DjXI0o6dvW2agJpcXZ:bE1t1ZDb35gReS/9d9adp
Threatray 209 similar samples on MalwareBazaar
TLSH T15E84FBA41A6D7C8FEE2F1E4915E0768B09EA513180DF670FE895C0EE21709A89F5D1CF
Magika javascript
Reporter abuse_ch
Tags:js VIPKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
SE SE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BAT.Obfus-10.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691c1839bdb0ec3a9dc30276
Tags:
autorun spam
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
repaired
Link:
https://www.filescan.io/uploads/691c1832ee9cbb28043f1be1/reports/f19c55fb-b43e-4030-857c-a39a1f28df7b/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/69e96604cdcbac20930473ca5b26f804b82ccf14269dbf92d1e83e573048895c
Verdict:
Malicious
File Type:
js
First seen:
2025-11-17T23:35:00Z UTC
Last seen:
2025-11-20T04:42:00Z UTC
Hits:
~1000
Detections:
Trojan-Downloader.JS.Cryptoload.sb Trojan.VBS.SAgent.sb PDM:Trojan.Win32.Generic HEUR:Trojan.Script.SAgent.gen HEUR:Trojan.PowerShell.Tesre.sb HEUR:Trojan.BAT.Tesre.gen HEUR:Trojan-Downloader.Script.Generic Trojan.BAT.Agent.sb Trojan.PowerShell.AmsiBypass.sb Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/69e96604cdcbac20930473ca5b26f804b82ccf14269dbf92d1e83e573048895c/results?tab=lookup
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1815812
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Creates processes via WMI
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1815812 Sample: RFQ SPECS & DATASHEET.js Startdate: 18/11/2025 Architecture: WINDOWS Score: 100 97 reallyfreegeoip.org 2->97 99 api.telegram.org 2->99 101 3 other IPs or domains 2->101 111 Suricata IDS alerts for network traffic 2->111 113 Found malware configuration 2->113 115 Malicious sample detected (through community Yara rule) 2->115 121 15 other signatures 2->121 10 wscript.exe 1 1 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 1 2->15         started        17 4 other processes 2->17 signatures3 117 Tries to detect the country of the analysis system (by using the IP) 97->117 119 Uses the Telegram API (likely for C&C communication) 99->119 process4 signatures5 137 Wscript starts Powershell (via cmd or directly) 10->137 139 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->139 141 Suspicious execution chain found 10->141 143 Creates processes via WMI 10->143 19 cmd.exe 1 10->19         started        22 cmd.exe 13->22         started        24 conhost.exe 13->24         started        26 cmd.exe 1 15->26         started        28 conhost.exe 15->28         started        30 cmd.exe 1 17->30         started        32 cmd.exe 1 17->32         started        34 cmd.exe 17->34         started        36 5 other processes 17->36 process6 signatures7 123 Suspicious powershell command line found 19->123 125 Wscript starts Powershell (via cmd or directly) 19->125 127 Bypasses PowerShell execution policy 19->127 38 cmd.exe 1 19->38         started        40 conhost.exe 19->40         started        42 cmd.exe 22->42         started        45 cmd.exe 1 26->45         started        47 cmd.exe 1 30->47         started        49 cmd.exe 1 32->49         started        51 cmd.exe 34->51         started        53 cmd.exe 36->53         started        process8 signatures9 55 cmd.exe 2 38->55         started        145 Suspicious powershell command line found 42->145 147 Wscript starts Powershell (via cmd or directly) 42->147 58 powershell.exe 42->58         started        62 conhost.exe 42->62         started        64 powershell.exe 45->64         started        66 conhost.exe 45->66         started        68 2 other processes 47->68 70 2 other processes 49->70 72 2 other processes 51->72 74 2 other processes 53->74 process10 dnsIp11 129 Suspicious powershell command line found 55->129 131 Wscript starts Powershell (via cmd or directly) 55->131 76 powershell.exe 16 29 55->76         started        81 conhost.exe 55->81         started        103 193.122.130.0, 49739, 49743, 80 ORACLE-BMC-31898US United States 58->103 83 C:\Users\user\AppData\Roaming\...\f456.bat, ASCII 58->83 dropped 133 Tries to steal Mail credentials (via file / registry access) 58->133 135 Tries to harvest and steal browser information (history, passwords, etc) 58->135 85 C:\Users\user\AppData\Roaming\...\7d0f.bat, ASCII 64->85 dropped 87 C:\Users\user\AppData\Roaming\...\6fa5.bat, ASCII 68->87 dropped 89 C:\Users\user\AppData\Roaming\...\bf9d.bat, ASCII 70->89 dropped 91 C:\Users\user\AppData\Roaming\...\0195.bat, ASCII 72->91 dropped 93 C:\Users\user\AppData\Roaming\...\041c.bat, ASCII 74->93 dropped file12 signatures13 process14 dnsIp15 105 mail.ekolticaret.com 5.250.254.200, 49695, 49704, 49729 AYSIMATR Turkey 76->105 107 api.telegram.org 149.154.167.220, 443, 49694, 49701 TELEGRAMRU United Kingdom 76->107 109 2 other IPs or domains 76->109 95 C:\Users\user\AppData\Roaming\...\8f58.bat, ASCII 76->95 dropped 149 Drops script or batch files to the startup folder 76->149 151 Tries to steal Mail credentials (via file / registry access) 76->151 153 Found suspicious powershell code related to unpacking or dynamic code loading 76->153 155 2 other signatures 76->155 file16 signatures17
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/69e96604cdcbac20930473ca5b26f804b82ccf14269dbf92d1e83e573048895c
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69e96604cdcbac20930473ca5b26f804b82ccf14269dbf92d1e83e573048895c/
Verdict:
Malicious
Threat:
Family.SNAKE
Link:
https://tip.neiki.dev/file/69e96604cdcbac20930473ca5b26f804b82ccf14269dbf92d1e83e573048895c
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-18 06:54:50 UTC
File Type:
Text (HTML)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nhuwmbgnzowcbeyeopffwjxyas4cztyue2o37ewr5a7fomcirfoa._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
Similar samples:
03034db898bb76e51b941005585251b64956ae5ff4ce2e55cbbdab9174e00a55
VIPKeylogger
05afcd6fed8fc4ae9c43f7de2c0d717eb02f91fed941246231d88cfb01170400
VIPKeylogger
3c3315293e6b55efbdb2020b21f1d82b70360dfe880d2f88b5080d2abbfcbfd5
VIPKeylogger
6f96b534bcfec55b97dbeb18cbeaf59c2a7b745e667fea1a0998b1ff9df72b45
VIPKeylogger
750178918522765b83b32510dce10c8cf9614ae72b95539f93b8ba7088bb1779
VIPKeylogger
833273614f0b78225a6b6975e70c0a07cc0052a448c3eb175cf6af0edb6ed4b3
VIPKeylogger
958a20415c168faffee4e9d9f61e496012a9138fc20faf361c3d8102b5b91c08
VIPKeylogger
aaddb0601ec56272d1fa36b29bd5c35d9d8705841a16a84dcee9f0698b2bde15
VIPKeylogger
dfcfd9411491364986e5933eac3626e484c6fcf3921ddb86fe99edf180ecc225
VIPKeylogger
error
VIPKeylogger
+ 199 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger stealer
Link:
https://tria.ge/reports/251118-hphh7svqal/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Drops startup file
Badlisted process makes network request
Process spawned unexpected child process
VIPKeylogger
Vipkeylogger family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69e96604cdcbac20930473ca5b26f804b82ccf14269dbf92d1e83e573048895c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments