MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a97401834fff1b8cab82e8a7dc22a83f8e16a2fbf8a6103fad1afc04abd2074a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



VIPKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash: a97401834fff1b8cab82e8a7dc22a83f8e16a2fbf8a6103fad1afc04abd2074a
SHA3-384 hash: 8b12c4624bebd03a093e77302a7493c8d33eb3fba53c4c0e70c975dfc7add8ecc3ed7478a68419940a7b3b73b7d0ea6f
SHA1 hash: b3fc08a2b4dfff5b240c163ea210e04002f37de1
MD5 hash: 9cd431f26b71e9c98fb485bccd262372
humanhash: leopard-avocado-pizza-lithium
File name:PEDIDO.js
Download: download sample
Signature VIPKeylogger
File size:2'397'954 bytes
First seen:2026-03-31 16:05:39 UTC
Last seen:2026-03-31 16:09:34 UTC
File type:Java Script (JS) js
MIME type:text/csv
ssdeep 192:mgMy1jaNgbYkZYqlF7HUchEEaOeHG58bV82djbBr+L7sfqxmigbaN6FTfGFsy26R:mOjzM3zqCI3hTIR9M2hb7zFnk
TLSH T13BB5F92C1BA7C877E49453035C0AA2AB9D8C199FDC17B31ABEDCD5C1D810B4B65ADCB2
Magika javascript
Reporter proxylife
Tags:js VIPKeylogger

Intelligence


File Origin
# of uploads :
3
# of downloads :
25
Origin country :
SN SN
Vendor Threat Intelligence
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Verdict:
Malicious
File Type:
js
First seen:
2026-03-31T10:54:00Z UTC
Last seen:
2026-04-01T14:41:00Z UTC
Hits:
~100
Detections:
Trojan.VBS.SAgent.sb Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic
Gathering data
Threat name:
Win32.Trojan.Yomal
Status:
Malicious
First seen:
2026-03-31 17:44:23 UTC
File Type:
Binary
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Result
Malware family:
vipkeylogger
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger stealer
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
VIPKeylogger
Vipkeylogger family
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments