MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5b4b14bdd91fb5b71a5f2c0567694e8bd8bff8d6396444ee389dc6e95df173d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5b4b14bdd91fb5b71a5f2c0567694e8bd8bff8d6396444ee389dc6e95df173d
SHA3-384 hash: 4b56903188588989d53632ad79eebc5139dfcb83ede74bcf5bdf0aa60b3b3ad9a089ed77ff529de70cb6e475f0602500
SHA1 hash: 8899b0621e2bfe1bab8702614734299a8db41ef0
MD5 hash: 2630bb5e0e5e9820eab9f40fbd1508a3
humanhash: blossom-robert-robin-red
File name:Updated Price List for 2025 Business Year.exe
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:798'720 bytes
First seen:2025-07-17 11:58:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:6vGeX/3plPWh/Xycy2fRfszEpt7eLGqu66W/Epuw8S98/+gtaQiLl:6ug5lPe/ycyw7MLt9bw83g
TLSH T19D05020873D99806D8EE0BB65931C1B0537B7D0DA935C30B6AEEBE9F7BA33019911752
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe VIPKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
39
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Updated Price List for 2025 Business Year.exe
Verdict:
Malicious activity
Analysis date:
2025-07-17 11:58:41 UTC
Tags:
netreactor snake keylogger evasion telegram stealer exfiltration smtp
Link:
https://app.any.run/tasks/24b5e036-dd6b-418d-aba8-51ead2fb58f3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/15021/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3373.11442.8733.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6878e5a084b37dd61eef1819
Tags:
masslogger snake spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Forced shutdown of a browser
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6878e5a819132d984881ea70/reports/1d43371e-7621-45d5-bee0-f3e48e5e6dfc/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/b5b4b14bdd91fb5b71a5f2c0567694e8bd8bff8d6396444ee389dc6e95df173d
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f320e959-4234-42b7-beb4-55a00827a487
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1738745
Signature
.NET source code contains potential unpacker
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b5b4b14bdd91fb5b71a5f2c0567694e8bd8bff8d6396444ee389dc6e95df173d
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) SOS: 0.03 Win 32 Exe x86
Link:
https://app.malva.re/file/2630bb5e0e5e9820eab9f40fbd1508a3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5b4b14bdd91fb5b71a5f2c0567694e8bd8bff8d6396444ee389dc6e95df173d/
Verdict:
Malicious
Threat:
ByteCode-MSIL.Trojan.MassLogger
Link:
https://tip.neiki.dev/file/b5b4b14bdd91fb5b71a5f2c0567694e8bd8bff8d6396444ee389dc6e95df173d
Threat name:
Win32.Trojan.MassLogger
Create hunting rule
Status:
Malicious
First seen:
2025-07-17 07:04:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ww2lcs65sh5vw4nf6lafm5uu5c6yx74nmoleitxdrhog5fo7c46q._file
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery keylogger spyware stealer
Link:
https://tria.ge/reports/250717-n5xwqacn81/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
VIPKeylogger
Vipkeylogger family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a173fad1-f31b-4bd6-bc9d-242bee507d63
Unpacked files
SH256 hash:
b5b4b14bdd91fb5b71a5f2c0567694e8bd8bff8d6396444ee389dc6e95df173d
MD5 hash:
2630bb5e0e5e9820eab9f40fbd1508a3
SHA1 hash:
8899b0621e2bfe1bab8702614734299a8db41ef0
Link:
https://www.unpac.me/results/4066de9e-1d95-4017-858e-78bf7faf6a69/
SH256 hash:
bd8c200470cdc5846adaec7d794b763abf6cdaa7bb38954fc55a86d587c07a38
MD5 hash:
aa7631d7134cb4d30a45943848da15c8
SHA1 hash:
0faa3f764c731bda55ee6cba3c7672fd19d6f4b6
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4066de9e-1d95-4017-858e-78bf7faf6a69/
SH256 hash:
14725c2e4d97123050fab53d956a1eb027afefa2904111bcfca0751387c306b8
MD5 hash:
7c5818ef062d25ecfbcb7db884a530c5
SHA1 hash:
241525d7500302bb0a91b15d71a6ca0da0ee0d23
Link:
https://www.unpac.me/results/4066de9e-1d95-4017-858e-78bf7faf6a69/
SH256 hash:
13458dd050a25036fb51bc701f32762e9c29bd77d97765637508a0a1fe7a4be1
MD5 hash:
e59b0f345b4d2a77531d8673d34d4314
SHA1 hash:
723a9c392098334a0f74fec8b0ad0a9c317db7fe
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/4066de9e-1d95-4017-858e-78bf7faf6a69/
Parent samples :
eb54ebd946de089a842c01f8f72e8d74e7308f22d01b1c5e422aef85807494e2
b5b4b14bdd91fb5b71a5f2c0567694e8bd8bff8d6396444ee389dc6e95df173d
1fa3c4e703405564123cb7d433d69566075ae20b4ba894c91681b0f55b14c14d
1a8cae4d0b7aed52a77e8e33770bfc4148c5766b8f4e24614a2953b5e931ed35
f2215030e25ace46d59ee7ca2fd12c4cfb8d6f220d848e51abd2bbd13c98e071
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b5b4b14bdd91fb5b71a5f2c0567694e8bd8bff8d6396444ee389dc6e95df173d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

VIPKeylogger

Executable exe b5b4b14bdd91fb5b71a5f2c0567694e8bd8bff8d6396444ee389dc6e95df173d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/15021/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments