MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94a5d0a78eb2c92ead0a0a9055649c5b4e0fb1f2b175ff5c0dd7434f11da7ec3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 19


Intelligence 19 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94a5d0a78eb2c92ead0a0a9055649c5b4e0fb1f2b175ff5c0dd7434f11da7ec3
SHA3-384 hash: 7284100f72e8e6dfa7dbfbcefc9ba94ea4ef0ef3264a802dad69f3ebad6b7704ef3db3295b2e2b72313cfa0362b95056
SHA1 hash: f60fd252b8cf59627d4737732cd939cfb4753d54
MD5 hash: 2eb338bd3f66fe435d189c4d400a9b42
humanhash: nitrogen-snake-ink-nuts
File name:DOT-0876545678900000.com
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:922'624 bytes
First seen:2026-01-29 10:17:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'845 x AgentTesla, 19'778 x Formbook, 12'302 x SnakeKeylogger)
ssdeep 24576:S4EX30CB4k/3Aot29nWXmu635NfOOYqRUwgrWGpHYXGFa:fE30o4a3AOenBYqRUnaGx3
Threatray 14 similar samples on MalwareBazaar
TLSH T1E115121DBBAAD911C6CD0FBAE003418E52FBC416F626F3564D8B18B45DB5B0CC45E6A3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe VIPKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
DeepSea
Details
DeepSea
DeepSea decrypted strings
Link:
https://research.acce.ciphertechsolutions.com/results/bd19673d-7d3c-4e0c-9b00-b18a9e66511e/
Malware family:
n/a
ID:
1
File name:
DOT-0876545678900000.com
Verdict:
Malicious activity
Analysis date:
2026-01-29 10:19:16 UTC
Tags:
snake keylogger evasion telegram auto-startup susp-lnk stealer
Link:
https://app.any.run/tasks/bacc462c-7265-4dc0-a644-2989870b6cfc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
VIPKeyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/50636/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697b33c36fa3eed165302636
Tags:
backdoor autorun micro hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
explorer krypt lolbin masquerade obfuscated obfuscated packed
Link:
https://www.filescan.io/uploads/697b33b74156786ccbdefc79/reports/36259dbb-c9de-4765-b107-19f294ffcc26/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/94a5d0a78eb2c92ead0a0a9055649c5b4e0fb1f2b175ff5c0dd7434f11da7ec3
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-29T07:01:00Z UTC
Last seen:
2026-01-31T06:49:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Win32.Stealer.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Agent.sb HEUR:Trojan-Spy.MSIL.KeyLogger.gen PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Stelega.sb Trojan.MSIL.Crypt.sb HEUR:Trojan-Spy.MSIL.Agent.sb HEUR:Trojan.WinLNK.Powecod.e Trojan-Spy.Stealer.FTP.C&C Trojan-PSW.SnakeLogger.HTTP.C&C HEUR:Trojan-PSW.MSIL.Stealer.gen
Link:
https://opentip.kaspersky.com/94a5d0a78eb2c92ead0a0a9055649c5b4e0fb1f2b175ff5c0dd7434f11da7ec3/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/45fe339a-cf36-45b3-9923-b8ebcbc684a0
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1859668
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses the Telegram API (likely for C&C communication)
Windows shortcut file (LNK) contains suspicious command line arguments
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1859668 Sample: DOT-0876545678900000.com.exe Startdate: 29/01/2026 Architecture: WINDOWS Score: 100 35 reallyfreegeoip.org 2->35 37 api.telegram.org 2->37 39 2 other IPs or domains 2->39 47 Suricata IDS alerts for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 57 13 other signatures 2->57 8 powershell.exe 15 2->8         started        10 DOT-0876545678900000.com.exe 7 2->10         started        signatures3 53 Tries to detect the country of the analysis system (by using the IP) 35->53 55 Uses the Telegram API (likely for C&C communication) 37->55 process4 file5 14 IvWYRZLnEDk.exe 5 8->14         started        17 conhost.exe 1 8->17         started        29 C:\Users\user\AppData\...\IvWYRZLnEDk.exe, PE32 10->29 dropped 31 C:\Users\...\IvWYRZLnEDk.exe:Zone.Identifier, ASCII 10->31 dropped 33 C:\Users\...\DOT-0876545678900000.com.exe.log, ASCII 10->33 dropped 63 Unusual module load detection (module proxying) 10->63 19 DOT-0876545678900000.com.exe 15 2 10->19         started        signatures6 process7 dnsIp8 65 Antivirus detection for dropped file 14->65 67 Multi AV Scanner detection for dropped file 14->67 69 Unusual module load detection (module proxying) 14->69 22 IvWYRZLnEDk.exe 14 2 14->22         started        25 IvWYRZLnEDk.exe 14->25         started        27 IvWYRZLnEDk.exe 14->27         started        41 api.telegram.org 149.154.166.110, 443, 49741, 49758 TELEGRAMRU United Kingdom 19->41 43 checkip.dyndns.com 193.122.130.0, 49721, 49723, 49725 ORACLE-BMC-31898US United States 19->43 45 reallyfreegeoip.org 172.67.177.134, 443, 49722, 49724 CLOUDFLARENETUS United States 19->45 71 Tries to steal Mail credentials (via file / registry access) 19->71 signatures9 process10 signatures11 59 Tries to steal Mail credentials (via file / registry access) 22->59 61 Tries to harvest and steal browser information (history, passwords, etc) 22->61
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/94a5d0a78eb2c92ead0a0a9055649c5b4e0fb1f2b175ff5c0dd7434f11da7ec3
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94a5d0a78eb2c92ead0a0a9055649c5b4e0fb1f2b175ff5c0dd7434f11da7ec3/
Verdict:
Malicious
Threat:
Family.DEEPSEAOBFUSCATOR
Link:
https://tip.neiki.dev/file/94a5d0a78eb2c92ead0a0a9055649c5b4e0fb1f2b175ff5c0dd7434f11da7ec3
Threat name:
Win32.Trojan.GenSteal
Create hunting rule
Status:
Malicious
First seen:
2026-01-29 09:59:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sss5bj4owles5likbkifkze4lnha7mpswf276xan25bu6eo2p3bq._file
Verdict:
malicious
Label(s):
unc_loader_001
Create hunting rule
404keylogger
Create hunting rule
Similar samples:
0c4b7eed84460dd5342f37f974a6845d7a81ab3fce075cfd4d8cf40f5a66c415
VIPKeylogger
285b52432abd3931d8728051397abcab339dad11b966397de1bd436ecf738b22
VIPKeylogger
2893a3dcecdfac2cbb92136bd92e94d32464cff84a4dbd44d71f559ed58ccc3d
VIPKeylogger
7d03c245636ceeed78c6bb08041c65594c93449c145b451d0c465c7b227169bc
VIPKeylogger
90b127b083dfdcb086340fc93b24ad2407161a61e00b68e80c20db4f0b6fea42
VIPKeylogger
94a5d0a78eb2c92ead0a0a9055649c5b4e0fb1f2b175ff5c0dd7434f11da7ec3
VIPKeylogger
de054d8f9b649022d29cfcf89c05e8468e765fb5a5543d25abe29b9e41a3abae
VIPKeylogger
e4ec8eb8a0729479977a73c132dd2bdf4dac30483c590f3dd29af60e48ce0ebb
VIPKeylogger
error
VIPKeylogger
+ 4 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery keylogger spyware stealer
Link:
https://tria.ge/reports/260129-mble6afs4h/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Drops startup file
Reads user/profile data of local email clients
Reads user/profile data of web browsers
VIPKeylogger
Vipkeylogger family
Unpacked files
SH256 hash:
94a5d0a78eb2c92ead0a0a9055649c5b4e0fb1f2b175ff5c0dd7434f11da7ec3
MD5 hash:
2eb338bd3f66fe435d189c4d400a9b42
SHA1 hash:
f60fd252b8cf59627d4737732cd939cfb4753d54
Link:
https://www.unpac.me/results/2f74b6e2-3baf-416e-bd69-409df13ed7fe/
SH256 hash:
4852b40a99f8b39ec611f1edb41ec86e0150c1c874c579d1449859180d6f74b7
MD5 hash:
85389c873788c4e5b031ce383add1259
SHA1 hash:
396411dbe97f230aabf27f496335b1587f3e2a3c
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/2f74b6e2-3baf-416e-bd69-409df13ed7fe/
SH256 hash:
a7a27ee417c3c508edfa039f6d4b27eaaca31b29e78fc5e87bb9ac88d8d846b9
MD5 hash:
e845f41f74d69ba4fe1e4b58fae27b10
SHA1 hash:
45131b421f6208ba6e8ec2500e9335c7a4f5d0ea
Link:
https://www.unpac.me/results/2f74b6e2-3baf-416e-bd69-409df13ed7fe/
SH256 hash:
e2187b80781c7876e2cb554b745e015b89c9542836673d69b3d6c81ced61d7b4
MD5 hash:
ab13694199b65232eacd918cd3529574
SHA1 hash:
9f71856c8e2ae8cf065eb567ed5cf73ee355b86e
Detections:
win_samsam_auto
Create hunting rule
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MetaStealer_NET_Reactor_packer
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/2f74b6e2-3baf-416e-bd69-409df13ed7fe/
SH256 hash:
3f0ea87dde460f6aece42233fba4c66e96b7c1bfc477d7c74481056fce420e4a
MD5 hash:
580386c2b02fc956f3e7f989bd9dd7bc
SHA1 hash:
156aae6b63b13de5c49f53100967364a214bcca2
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/2f74b6e2-3baf-416e-bd69-409df13ed7fe/
SH256 hash:
30b72b95d1441b44087d95d200f942a2716e206595d5c7e84828d51673f68578
MD5 hash:
3c0d37b218c5c886b7256cea6e6ff93c
SHA1 hash:
d7b0ef27c229b9dce21b0505db8cc2f94aae3670
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/2f74b6e2-3baf-416e-bd69-409df13ed7fe/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/94a5d0a78eb2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94a5d0a78eb2c92ead0a0a9055649c5b4e0fb1f2b175ff5c0dd7434f11da7ec3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

VIPKeylogger

Executable exe 94a5d0a78eb2c92ead0a0a9055649c5b4e0fb1f2b175ff5c0dd7434f11da7ec3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/50636/

Comments