MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1443ce2d09567434662a381c51bc50f3dc5bde281da8214713ba1c3dd17bfed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1443ce2d09567434662a381c51bc50f3dc5bde281da8214713ba1c3dd17bfed
SHA3-384 hash: 20df631c4d677e5d41548892e60350c032db924280f6463c0289eecc0c374b66d75926a3ffc6335b3d874bae5c3932b2
SHA1 hash: 2a524a049ad04e6ae1956497850cb7a39db84367
MD5 hash: c3d79163f5c2a81b05e47034cb3effe5
humanhash: harry-batman-jig-pizza
File name:Uudholdeliges.exe
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:1'292'448 bytes
First seen:2025-09-16 06:14:31 UTC
Last seen:2025-10-10 06:35:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (525 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 24576:kjQt3i3fIl9TohQlutLFgMMcGSPeOXFL4lqSRdTJzgyk5S7sY28cVyGSvzD1DKJs:f3iwJluEMMJSPFXFL4lqSnt65Ot2Vkh1
TLSH T1DC5512C012AEA39DC9D81AF0D6C873AE84E75F0D59D30AFF6341B61A98FF6813159523
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter lowmal3
Tags:exe signed VIPKeylogger

Code Signing Certificate

Organisation:Sheriffs
Issuer:Sheriffs
Algorithm:sha256WithRSAEncryption
Valid from:2025-07-23T23:48:37Z
Valid to:2026-07-23T23:48:37Z
Serial number: 6d63be1686c5c48d73ec291838743de1ab48e0c0
Thumbprint Algorithm:SHA256
Thumbprint: 3abd6b266fa61d795b09de742422857f3f85243bdaf639967c54f0ebcf2ede0a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
86
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Uudholdeliges.exe
Verdict:
Malicious activity
Analysis date:
2025-09-16 06:16:49 UTC
Tags:
evasion snake keylogger telegram stealer
Link:
https://app.any.run/tasks/25e86df7-a29c-4547-b07d-46820a6dd188

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/27646/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c90091d49ea3f1e4b64eed
Tags:
shellcode uloader virus nsis
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Delayed reading of the file
Creating a file in the %temp% subdirectories
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole guloader installer microsoft_visual_cc nsis overlay signed unsafe
Link:
https://www.filescan.io/uploads/68c9008a0d1238ff0aacb252/reports/04bc0856-10d6-4fac-82e6-853b6bb2b2ef/overview
Verdict:
Malicious
Labled as:
Trojan_Win32_Wacatac_B_ml
Link:
https://www.hybrid-analysis.com/sample/a1443ce2d09567434662a381c51bc50f3dc5bde281da8214713ba1c3dd17bfed
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-15T08:21:00Z UTC
Last seen:
2025-09-15T08:21:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/a1443ce2d09567434662a381c51bc50f3dc5bde281da8214713ba1c3dd17bfed/results?tab=lookup
Malware family:
Unlabeled
Create hunting rule
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1bfb7224-3723-4cc3-aca4-e8affd14d9e1
Result
Threat name:
GuLoader, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1778242
Signature
AI detected suspicious PE digital signature
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a1443ce2d09567434662a381c51bc50f3dc5bde281da8214713ba1c3dd17bfed
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/c3d79163f5c2a81b05e47034cb3effe5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1443ce2d09567434662a381c51bc50f3dc5bde281da8214713ba1c3dd17bfed/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2025-09-15 12:36:41 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ufcdzywqsvtugrtcuoa4kg6fb464lppcqhniefdrhoq4hxixx7wq._file
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:vipkeylogger collection discovery downloader keylogger spyware stealer
Link:
https://tria.ge/reports/250916-gz4zhszrx4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Guloader family
Guloader,Cloudeye
VIPKeylogger
Vipkeylogger family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/885f7e00-c52b-4f17-8883-89f7318aea40
Unpacked files
SH256 hash:
a1443ce2d09567434662a381c51bc50f3dc5bde281da8214713ba1c3dd17bfed
MD5 hash:
c3d79163f5c2a81b05e47034cb3effe5
SHA1 hash:
2a524a049ad04e6ae1956497850cb7a39db84367
Link:
https://www.unpac.me/results/04d3920a-879b-46ef-9862-43559b51d0c6/
SH256 hash:
86c8ee210e6611383a634dcb8c60455063ddae3d7adccbeacf3adf7bf2a46676
MD5 hash:
d2e45dd852a659e11897df573832f381
SHA1 hash:
19990ee627c95b6c18d3b5c5f0ec5c24791d0af5
Link:
https://www.unpac.me/results/04d3920a-879b-46ef-9862-43559b51d0c6/
SH256 hash:
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
MD5 hash:
9625d5b1754bc4ff29281d415d27a0fd
SHA1 hash:
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
Link:
https://www.unpac.me/results/04d3920a-879b-46ef-9862-43559b51d0c6/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a1443ce2d095/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.52
Link:
https://yomi.yoroi.company/submissions/a1443ce2d09567434662a381c51bc50f3dc5bde281da8214713ba1c3dd17bfed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

VIPKeylogger

Executable exe a1443ce2d09567434662a381c51bc50f3dc5bde281da8214713ba1c3dd17bfed

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/27646/

Comments