MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f96b534bcfec55b97dbeb18cbeaf59c2a7b745e667fea1a0998b1ff9df72b45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f96b534bcfec55b97dbeb18cbeaf59c2a7b745e667fea1a0998b1ff9df72b45
SHA3-384 hash: 9591ce0bed97de848d00f1932c6b35842fa97cc88560383b320e8c215f2e350dba7d6c5e3af64e1cf4a0c487f50436b7
SHA1 hash: 7c2f299296ba696572d38dc475f65c1077edd9d4
MD5 hash: 4ab207cdef81ceca90607bdb62aef2a6
humanhash: one-winter-montana-tennessee
File name:Factura Rectificativa ES 2025.11.06.vbs
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:296'057 bytes
First seen:2025-11-08 16:46:24 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 6144:rsugAp5sa+i2CnxIZaLF+FgAXf7asJIyIlbFnpmyLyMEvrQ6KwKCBaejPg:f+Dvp9BM
Threatray 187 similar samples on MalwareBazaar
TLSH T14F54E2E495FF5EDF86D72593A3B33D1108299501131A02548E9AFFE42821C1BB6BDAFC
Magika vba
Reporter abuse_ch
Tags:vbs VIPKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
41
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
VIPKeyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/36552/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690f741b3afb53888cc9cea7
Tags:
backdoor spawn spam blic
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 cmd evasive fingerprint lolbin masquerade obfuscated powershell
Link:
https://www.filescan.io/uploads/690f741445d0218fdf1ee7a0/reports/50685235-54dd-4acb-a892-b2584b6deb08/overview
Verdict:
Malicious
Labled as:
VBS/TrojanDropper.Agent
Link:
https://www.hybrid-analysis.com/sample/6f96b534bcfec55b97dbeb18cbeaf59c2a7b745e667fea1a0998b1ff9df72b45
Verdict:
Malicious
File Type:
vbs
First seen:
2025-11-06T01:30:00Z UTC
Last seen:
2025-11-10T13:53:00Z UTC
Hits:
~1000
Detections:
HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic HEUR:Trojan.PowerShell.Tesre.sb Trojan-Downloader.JS.Cryptoload.sb HEUR:Trojan.VBS.SAgent.gen Trojan.PowerShell.AmsiBypass.sb Trojan.JS.SAgent.sb
Link:
https://opentip.kaspersky.com/6f96b534bcfec55b97dbeb18cbeaf59c2a7b745e667fea1a0998b1ff9df72b45/results?tab=lookup
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1810658
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Creates processes via WMI
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1810658 Sample: Factura Rectificativa ES 20... Startdate: 08/11/2025 Architecture: WINDOWS Score: 100 99 reallyfreegeoip.org 2->99 101 api.telegram.org 2->101 103 2 other IPs or domains 2->103 111 Suricata IDS alerts for network traffic 2->111 113 Found malware configuration 2->113 115 Malicious sample detected (through community Yara rule) 2->115 121 16 other signatures 2->121 10 wscript.exe 1 2->10         started        14 cmd.exe 2->14         started        16 cmd.exe 1 2->16         started        18 4 other processes 2->18 signatures3 117 Tries to detect the country of the analysis system (by using the IP) 99->117 119 Uses the Telegram API (likely for C&C communication) 101->119 process4 file5 83 C:\Users\Public\PlantationBase.bat, ASCII 10->83 dropped 143 Wscript starts Powershell (via cmd or directly) 10->143 145 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->145 147 Suspicious execution chain found 10->147 149 Creates processes via WMI 10->149 20 cmd.exe 1 10->20         started        23 cmd.exe 14->23         started        25 conhost.exe 14->25         started        27 cmd.exe 1 16->27         started        29 conhost.exe 16->29         started        31 cmd.exe 1 18->31         started        33 cmd.exe 1 18->33         started        35 cmd.exe 1 18->35         started        37 5 other processes 18->37 signatures6 process7 signatures8 123 Suspicious powershell command line found 20->123 125 Wscript starts Powershell (via cmd or directly) 20->125 127 Bypasses PowerShell execution policy 20->127 39 cmd.exe 1 20->39         started        41 conhost.exe 20->41         started        44 cmd.exe 23->44         started        46 cmd.exe 1 27->46         started        48 cmd.exe 1 31->48         started        50 cmd.exe 1 33->50         started        52 cmd.exe 1 35->52         started        54 cmd.exe 37->54         started        process9 signatures10 56 cmd.exe 2 39->56         started        137 Creates processes via WMI 41->137 139 Suspicious powershell command line found 44->139 141 Wscript starts Powershell (via cmd or directly) 44->141 59 powershell.exe 44->59         started        62 conhost.exe 44->62         started        68 2 other processes 46->68 64 powershell.exe 48->64         started        66 conhost.exe 48->66         started        70 2 other processes 50->70 72 2 other processes 52->72 74 2 other processes 54->74 process11 file12 129 Suspicious powershell command line found 56->129 131 Wscript starts Powershell (via cmd or directly) 56->131 76 powershell.exe 16 29 56->76         started        81 conhost.exe 56->81         started        85 C:\Users\user\AppData\Roaming\...\251c.bat, ASCII 59->85 dropped 133 Tries to steal Mail credentials (via file / registry access) 59->133 135 Tries to harvest and steal browser information (history, passwords, etc) 59->135 87 C:\Users\user\AppData\Roaming\...\befc.bat, ASCII 64->87 dropped 89 C:\Users\user\AppData\Roaming\...\1924.bat, ASCII 68->89 dropped 91 C:\Users\user\AppData\Roaming\...\8196.bat, ASCII 70->91 dropped 93 C:\Users\user\AppData\Roaming\...\52a0.bat, ASCII 72->93 dropped 95 C:\Users\user\AppData\Roaming\...\7ecb.bat, ASCII 74->95 dropped signatures13 process14 dnsIp15 105 checkip.dyndns.com 132.226.247.73, 49720, 49724, 49727 UTMEMUS United States 76->105 107 api.telegram.org 149.154.167.220, 443, 49723, 49726 TELEGRAMRU United Kingdom 76->107 109 reallyfreegeoip.org 104.21.67.152, 443, 49721, 49725 CLOUDFLARENETUS United States 76->109 97 C:\Users\user\AppData\Roaming\...\a974.bat, ASCII 76->97 dropped 151 Drops script or batch files to the startup folder 76->151 153 Tries to steal Mail credentials (via file / registry access) 76->153 155 Found suspicious powershell code related to unpacking or dynamic code loading 76->155 157 Loading BitLocker PowerShell Module 76->157 file16 signatures17
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/6f96b534bcfec55b97dbeb18cbeaf59c2a7b745e667fea1a0998b1ff9df72b45
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f96b534bcfec55b97dbeb18cbeaf59c2a7b745e667fea1a0998b1ff9df72b45/
Verdict:
Malicious
Threat:
Family.VIPKEYLOGGER
Link:
https://tip.neiki.dev/file/6f96b534bcfec55b97dbeb18cbeaf59c2a7b745e667fea1a0998b1ff9df72b45
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2025-11-06 07:06:19 UTC
File Type:
Text
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n6llknf473cvxf635mmmx2xvtqvhw5c6mz76ugqjtcy77hpxfncq._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
Similar samples:
05afcd6fed8fc4ae9c43f7de2c0d717eb02f91fed941246231d88cfb01170400
VIPKeylogger
4ffb945bc637b8c2e1d287c1f6127121d967e1366f0a437f2b7f505fac391f5d
VIPKeylogger
750178918522765b83b32510dce10c8cf9614ae72b95539f93b8ba7088bb1779
VIPKeylogger
80943dad82a060b3506f2312c2d282f117e08a1b16cd9f1f6fcaf852be916407
VIPKeylogger
833273614f0b78225a6b6975e70c0a07cc0052a448c3eb175cf6af0edb6ed4b3
VIPKeylogger
864f41d231931ce8dda8dfef17c84106adab9d3d2023b5e41ddc403e79ea3461
VIPKeylogger
db893d34023865952c4ba57e6e3330c424c828bc6a42c9edb224a48cc53b3a30
VIPKeylogger
error
VIPKeylogger
+ 177 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger stealer
Link:
https://tria.ge/reports/251108-vansws1ral/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Drops startup file
Badlisted process makes network request
Process spawned unexpected child process
VIPKeylogger
Vipkeylogger family
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/36552/

Comments