MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c138eb32a0d4ade14eca1c5d68391ea06addbe969593b68470bd593539053b01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c138eb32a0d4ade14eca1c5d68391ea06addbe969593b68470bd593539053b01
SHA3-384 hash: 8c0818c31e99f36d460791fd5466104f128538fed9762b43787b88f617e5042ea7fd9bfad75be4e0d5772ea233eba845
SHA1 hash: d577c310f8c40b4741804f913684a2bf294b0a84
MD5 hash: 2b1b2c474dae91bacb317b50dea9d934
humanhash: blue-colorado-papa-oregon
File name:Justificante Transferencia Costas 5.297,20 €.exe
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:1'284'872 bytes
First seen:2025-09-16 06:18:46 UTC
Last seen:2025-10-10 06:34:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 24576:WjQt3i3fIl9xoLK9mO05IHZkkQJpCUeOXFL4lqSRdTJzgyk5S7sY28cVyGSvzD1T:B3iwqsElkQtFXFL4lqSnt65Ot2VkhDKk
TLSH T16E5512C0129EB3ADCAD91AF0D5D8735A88E34F0D19D30ABF6341BA5A98FF681351E513
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter lowmal3
Tags:exe signed VIPKeylogger

Code Signing Certificate

Organisation:Sogneraadsmedlems
Issuer:Sogneraadsmedlems
Algorithm:sha256WithRSAEncryption
Valid from:2025-07-21T01:38:16Z
Valid to:2026-07-21T01:38:16Z
Serial number: 16fe0ef8b01dc8ff2e35bf4216b904f8b4eabc7f
Thumbprint Algorithm:SHA256
Thumbprint: 77da14178a8c88555a4cdafdfda996abd1bde4d35349b5ce46d4f9a35f1caefe
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
204
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Justificante Transferencia Costas 5.297,20 €.exe
Verdict:
Malicious activity
Analysis date:
2025-09-16 06:22:19 UTC
Tags:
evasion snake keylogger telegram stealer exfiltration smtp
Link:
https://app.any.run/tasks/850e174e-5939-498e-9343-eab69be7351f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Guloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/27651/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c9016cd49ea3f1e4b64f27
Tags:
shellcode injection blic
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Delayed reading of the file
Creating a file in the %temp% subdirectories
Sending a custom TCP request
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole guloader installer microsoft_visual_cc nsis overlay signed unsafe
Link:
https://www.filescan.io/uploads/68c90167dbc6f5a29c46f96c/reports/fa134455-91f7-4694-a4e4-a8ae6328876b/overview
Verdict:
Malicious
Labled as:
Trojan_Win32_Phonzy_B_ml
Link:
https://www.hybrid-analysis.com/sample/c138eb32a0d4ade14eca1c5d68391ea06addbe969593b68470bd593539053b01
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-15T10:23:00Z UTC
Last seen:
2025-09-15T10:23:00Z UTC
Hits:
~1000
Detections:
Trojan-Downloader.Win32.Minix.sb Trojan.Win32.Guloader.sb Trojan.NSIS.Makoob.sbb Trojan.NSIS.Makoob.sba Packed.NSIS.Krynis.sb
Link:
https://opentip.kaspersky.com/c138eb32a0d4ade14eca1c5d68391ea06addbe969593b68470bd593539053b01/results?tab=lookup
Malware family:
Unlabeled
Create hunting rule
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/01739e4f-5618-4513-8bc7-31a4baef4d9e
Result
Threat name:
GuLoader, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1778248
Signature
AI detected suspicious PE digital signature
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c138eb32a0d4ade14eca1c5d68391ea06addbe969593b68470bd593539053b01
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c138eb32a0d4ade14eca1c5d68391ea06addbe969593b68470bd593539053b01/
Verdict:
Malicious
Threat:
Family.SNAKE
Link:
https://tip.neiki.dev/file/c138eb32a0d4ade14eca1c5d68391ea06addbe969593b68470bd593539053b01
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2025-09-15 13:33:43 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ye4owmva2sw6ctwkdrowqoi6ubvn3puwswj3nbdqxvmtkoifhmaq._file
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:vipkeylogger collection discovery downloader keylogger spyware stealer
Link:
https://tria.ge/reports/250916-g3cz7sgl9w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Guloader family
Guloader,Cloudeye
VIPKeylogger
Vipkeylogger family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4951ee71-3cad-4d09-aa43-0325628fa8b7
Unpacked files
SH256 hash:
c138eb32a0d4ade14eca1c5d68391ea06addbe969593b68470bd593539053b01
MD5 hash:
2b1b2c474dae91bacb317b50dea9d934
SHA1 hash:
d577c310f8c40b4741804f913684a2bf294b0a84
Link:
https://www.unpac.me/results/8a48b66a-1009-4f1c-9850-2f7c9a72202c/
SH256 hash:
86c8ee210e6611383a634dcb8c60455063ddae3d7adccbeacf3adf7bf2a46676
MD5 hash:
d2e45dd852a659e11897df573832f381
SHA1 hash:
19990ee627c95b6c18d3b5c5f0ec5c24791d0af5
Link:
https://www.unpac.me/results/8a48b66a-1009-4f1c-9850-2f7c9a72202c/
SH256 hash:
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
MD5 hash:
9625d5b1754bc4ff29281d415d27a0fd
SHA1 hash:
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
Link:
https://www.unpac.me/results/8a48b66a-1009-4f1c-9850-2f7c9a72202c/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c138eb32a0d4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.52
Link:
https://yomi.yoroi.company/submissions/c138eb32a0d4ade14eca1c5d68391ea06addbe969593b68470bd593539053b01

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

VIPKeylogger

Executable exe c138eb32a0d4ade14eca1c5d68391ea06addbe969593b68470bd593539053b01

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/27651/

Comments