MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6fc6ac52bb2eb9fbe527ec26f3f21b8a3775660883ccd55976a250910dcee2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6fc6ac52bb2eb9fbe527ec26f3f21b8a3775660883ccd55976a250910dcee2e
SHA3-384 hash: 502dbe936cc385a8448e4acdd09c4b71d756f92b9d5a17de6604801b87574ca3587cc4f93f8f1c146a895344f6c3b73d
SHA1 hash: a742e9cd943d39b5894ff028458e8f4e69056164
MD5 hash: 8a91e9bbb5efb1897d865c7de5604083
humanhash: blue-network-solar-texas
File name:Ordine cliente Landoil Technology S.r.l_250004063_20250904_104954.pdf.exe
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:685'056 bytes
First seen:2025-09-10 12:36:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:RcywRhyk5pKF7FyswuMmI8OB/mAJ0l/Z6FfRSIK2SaqojL4e:qhn5ZzfmI8clGlx6FfAIK2Lq
Threatray 3'593 similar samples on MalwareBazaar
TLSH T194E41208321A8E04D4F50FB06932D2B027A5ADDDE832E70A4FF96DEBF6257154E457A3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter JAMESWT_WT
Tags:exe satis-burakkayis-com Spam-ITA VIPKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
04092025_1523_04092025_Ordine cliente Landoil Technology S.r.l_250004063_20250904_104954.pdf.r11
Verdict:
Malicious activity
Analysis date:
2025-09-10 12:43:15 UTC
Tags:
arch-exec evasion snake keylogger telegram netreactor stealer smtp
Link:
https://app.any.run/tasks/91b4b0f5-17ad-48d2-9129-b728637883dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26704/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c170db6e66ba602d79d795
Tags:
underscore micro spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Sending a custom TCP request
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Stealing user critical data
Adding an exclusion to Microsoft Defender
Forced shutdown of a browser
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
agenttesla masquerade obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68c171505ebd1d861ec41522/reports/5a0f6208-9b6d-4bf2-9fb1-0112e8b04626/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/a6fc6ac52bb2eb9fbe527ec26f3f21b8a3775660883ccd55976a250910dcee2e
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-04T07:32:00Z UTC
Last seen:
2025-09-04T07:32:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/a6fc6ac52bb2eb9fbe527ec26f3f21b8a3775660883ccd55976a250910dcee2e/results?tab=lookup
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d5057cf-c582-4da3-976a-3a601600cfcf
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a6fc6ac52bb2eb9fbe527ec26f3f21b8a3775660883ccd55976a250910dcee2e
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a6fc6ac52bb2eb9fbe527ec26f3f21b8a3775660883ccd55976a250910dcee2e/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-09-04 21:37:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
29 of 38 (76.32%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u36gvrjlwlvz7pssp3bg6pzbxcrxovtara6m2vmxnisqseg45yxa._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
14d5d6c323c724bfb47adf08092eb37799921d3d9a498b188db8f9333d0a4462
VIPKeylogger
26a2714342c817548962d1a9cf5ebb1aacb811c3060fea1269c8280047b8eddf
VIPKeylogger
6d39efcc099850406049865919398ff1e38b06ee4841a9fba76bff863583f520
VIPKeylogger
a6fc6ac52bb2eb9fbe527ec26f3f21b8a3775660883ccd55976a250910dcee2e
VIPKeylogger
e69f506fb5549fac407a4e5e7c3400e73adfe40329a262771d7bae9a5ab1ba17
VIPKeylogger
error
VIPKeylogger
+ 3'583 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger spyware stealer
Link:
https://tria.ge/reports/250910-pvah4sam2t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
VIPKeylogger
Vipkeylogger family
Verdict:
Malicious
Tags:
404Keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/3e9cc394-1bc9-409f-9f6a-f6ac0e80edee
Unpacked files
SH256 hash:
a6fc6ac52bb2eb9fbe527ec26f3f21b8a3775660883ccd55976a250910dcee2e
MD5 hash:
8a91e9bbb5efb1897d865c7de5604083
SHA1 hash:
a742e9cd943d39b5894ff028458e8f4e69056164
Link:
https://www.unpac.me/results/e9402e42-ac33-47b1-b460-b1995a41f502/
SH256 hash:
6b1039ab5b81482376f5584e09067c1eafb8f5d9fb4badf61216201f5b55650a
MD5 hash:
e23f8b4029e280087809d50687fc45a4
SHA1 hash:
e99f0f88168922087df810db5637f6dcd7f9d310
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/e9402e42-ac33-47b1-b460-b1995a41f502/
SH256 hash:
2cc2a3e556f5f43f6cff50c4277f6e3d91fc88ee7fab211e3396425ec65c5635
MD5 hash:
778ce8efb4dfeef2a40a521d6f065a62
SHA1 hash:
f62febbbfacde0ebba10e2fe32f9767a56561a05
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/e9402e42-ac33-47b1-b460-b1995a41f502/
SH256 hash:
e50b0550616c4ea9dc2d18d75084f50e6e7da2ccaa2c77a439026957105aad8f
MD5 hash:
540148a4209d7e2b88d0e24b919c2834
SHA1 hash:
5a2042f9c9946e57d02d0d4e9a1ba2c5b1246a1e
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e9402e42-ac33-47b1-b460-b1995a41f502/
Parent samples :
881aac6c0395e173fe15acd1baf9caf443e73e166176b5040ccdb7e34750ed58
e14543458bbd96f242cc1dbeb9e3ff8c62c592fbe954b6da75fbf7f05aa41a0f
93bba3622d1594eb97ea253dbee9a1d5c495871b73410bccd6c41d7969d3b8a2
a89d88037e6e7321b7da02290aab0139ddf7be1b697388dcc28fba708304682f
e2f435485baa82011fb87477cf73d40c87b87a3579b11ea8d3cb22883ad33682
67b1c7d222568af1d3fe24c18125eac63dad102e029fae7427b7b9a526f63699
2e3c410728b3564bd615f8e6c64a7fc82fd5385542d02d7134d07bcbbc3f9f09
8ece82ad36ddad1e13a955098ea9629364950ed21a1155d7be4921208e62eb0c
26a2714342c817548962d1a9cf5ebb1aacb811c3060fea1269c8280047b8eddf
78f8b46dfdd55f7914e78f925189180f674945327ee3fa9187e2d5de86b15337
a8dabe249da520a24de691d48bf2549dda65bbb3e62cecd148b1ff0080533cac
0cb006d7434c2ffa1b04e4f20a90688e8eb36e82cea2db1641744e235995439b
fcdc9e821a1bd97c87b1c9b9fed76a070f3ff81a0ee0838f49a915336851a029
6b76abca8f35fff263c12beaaf521405a1d3743abde3bc20d8415272b2c5a140
2f76a21937582bd59783cab01437d029a6ccd52635e2a3f424831ad7e444e640
392ec2e0db217dc665b13c2e73b00d0ca2dc3b7f8a47eedf9a715d613e57a464
acfd0a48223c3e021532b6f7cfb12e81ebf2903bd706b9a5d45fb1a020dd7902
9357bf9a67240b9df693123dfcefe78bd468a313243e9ab7769c60eae161f1ad
c3bce19ca32fe499888cec1530bef701ba3d11d7fba776945a2e1245cb162a38
8e7c61db1d4aae49ddbd1ab8586fe752edbd01f30d5214e6e6bc074a3ec05588
a6fc6ac52bb2eb9fbe527ec26f3f21b8a3775660883ccd55976a250910dcee2e
227d7f535bcb6ce158d63d9436429547e9a065b289cf8b0caf8993ddd549190d
SH256 hash:
94a914a52e5c2d12fc86de62fcef55015a39c990defb6a48f7fc07ec05d5b301
MD5 hash:
56d6fbfa5793fe1735ec7f5089579fc6
SHA1 hash:
829be46d0f673874ff0d411173590762f7fc7f98
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e9402e42-ac33-47b1-b460-b1995a41f502/
SH256 hash:
383df94d827ca5b3e76452c9c7646dcdc84c1eee505c8ffd09a564eb00256117
MD5 hash:
85934f31db6b7f647a07bcbf56ece758
SHA1 hash:
fe686ccd3747c1675c5c59992b5302ee92183dc8
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/e9402e42-ac33-47b1-b460-b1995a41f502/
Parent samples :
383df94d827ca5b3e76452c9c7646dcdc84c1eee505c8ffd09a564eb00256117
4fd183ba00f63128021f0bb45b0b0b92425222efe10c85225ae813bffe598314
a6fc6ac52bb2eb9fbe527ec26f3f21b8a3775660883ccd55976a250910dcee2e
9e408a2b2f751998eb82a75f38924040e88159298634f4d38de814f5750ca824
5363b10f3f97233cd110918e516973fadba750d34b48af44fd82db21fd16fecb
d3d6333fa6a18d44c7a556c541c4e66619f4c7f8b8d241a50587a4185aa39387
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a6fc6ac52bb2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a6fc6ac52bb2eb9fbe527ec26f3f21b8a3775660883ccd55976a250910dcee2e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/26704/

Comments