MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c44ed6fb3fd9fd892acbb0ed7a92bc56c8b09d04e470f0496ecd9770a2064b57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

VIPKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	c44ed6fb3fd9fd892acbb0ed7a92bc56c8b09d04e470f0496ecd9770a2064b57
SHA3-384 hash:	2c9220db6fbad6b42e5cfb15c6d1f7b08f859649d541ce605c00c3578dc169221b4f6ca4ff05c624b04030ab89ff39ec
SHA1 hash:	fe14427001c2c097368f7533baa2d4551edd1706
MD5 hash:	67f058662d541ddd352fee656749ef8a
humanhash:	double-sad-social-yankee
File name:	THUS.bat
Download:	download sample
Signature	VIPKeylogger Create hunting rule
File size:	170'956 bytes
First seen:	2026-04-28 20:21:40 UTC
Last seen:	Never
File type:	bat
MIME type:	text/x-msdos-batch
ssdeep	3072:mPXxR2PP3748LmZc3P+QzDv8sLePGOVz4mX/baxrE8NWzPEoItF:mPiPPBLisLeZVzpXTmE8Qzcoo
Threatray	3'481 similar samples on MalwareBazaar
TLSH	T154F3F116D5C55F249FB95A04907C264E73F4878A8437A1DEA6576C02BF6F608823F3CB
Magika	batch
Reporter	BastianHein
Tags:	bat VIPKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

BatchScript

Details

Link:

https://research.acce.ciphertechsolutions.com/results/6c500aba-c86b-462a-b6a5-abbe2eb3718b/

Malware family:

n/a

ID:

File name:

REF-ORDER CONFIRMATION OF PO-R2045.bat

Verdict:

Malicious activity

Analysis date:

2026-04-28 13:02:01 UTC

Tags:

evasion api-base64 susp-powershell

Link:

https://app.any.run/tasks/df3d28bb-0130-41c9-8309-eb869e35d1ce

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/63935/

Detection(s):

SecuriteInfo.com.Trojan.BAT.Agent.19542.32455.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching cmd.exe command interpreter

Creating a file in the %AppData% subdirectories

Launching a process

Enabling the 'hidden' option for recently created files

Creating a file

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

Creating a process with a hidden window

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Setting a single autorun event

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

base64 cmd lolbin obfuscated rundll32

Link:

https://www.filescan.io/uploads/69f1170081aa9ec3bc30101a/reports/8251c172-258e-4efb-9866-813ee90f5771/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/c44ed6fb3fd9fd892acbb0ed7a92bc56c8b09d04e470f0496ecd9770a2064b57

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-04-26T23:49:00Z UTC

Last seen:

2026-04-29T15:31:00Z UTC

Hits:

~10000

Detections:

Trojan-PSW.Win32.Xploder.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Agent.sb Backdoor.MSIL.Cardinal.sb Trojan.Win32.Shellcode.sb Trojan.Win32.Agent.sb Trojan-PSW.Win32.Stelega.sb Trojan-Dropper.Win32.Injector.sb HEUR:Trojan.MSIL.Rozena.gen HEUR:Trojan.BAT.Obfus.gen HEUR:Backdoor.MSIL.Agent.gen Backdoor.Win32.Androm.sb Trojan.PowerShell.Cobalt.sb PDM:Trojan.Win32.Generic Exploit.Win64.Shellcode.sliverloader.a

Link:

https://opentip.kaspersky.com/c44ed6fb3fd9fd892acbb0ed7a92bc56c8b09d04e470f0496ecd9770a2064b57/results?tab=lookup

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/c44ed6fb3fd9fd892acbb0ed7a92bc56c8b09d04e470f0496ecd9770a2064b57

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c44ed6fb3fd9fd892acbb0ed7a92bc56c8b09d04e470f0496ecd9770a2064b57/

Verdict:

Malicious

Threat:

Family.SNAKE

Link:

https://tip.neiki.dev/file/c44ed6fb3fd9fd892acbb0ed7a92bc56c8b09d04e470f0496ecd9770a2064b57

Threat name:

Script-BAT.Trojan.Donutloader

Status:

Malicious

First seen:

2026-04-27 04:11:45 UTC

File Type:

Text (Batch)

AV detection:

11 of 36 (30.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yrhnn6z73h6yskwlwdwxvev4k3elbhie4rypaslozwlxbiqgjnlq._file

Verdict:

malicious

Label(s):

donutloader

vipkeylogger

VIPKeylogger

499422f120167b0924edbbd1d66f51101b36d53f83f7f56e65c020c7f2950f37

VIPKeylogger

61061bd61fd9b9abc52c6041993114456744e4bde92f22423daea647b7f02c5b

VIPKeylogger

72f84baa1495278d7c162ef90d6428030db333aec673f5739d61907aa4cf1aed

VIPKeylogger

74de71d06d873e0cc8d6d92c2a340a6b7be6f5867772edf7790bff0297814636

VIPKeylogger

77507a11e22c4276f550c19e8ce4fcbeadb0cc1caf1f90d7a6a0d5c5ea9af9e6

VIPKeylogger

c1ac4217e48ba5dcd89a543db47563a12b7e402193145d7d71ae7b3351cad47b

VIPKeylogger

ceabf3e47d73bfece45a45e1165a7415f6da53bbff551684dc04779faf798bb9

VIPKeylogger

d621ee9d0a113413a75149e14ed3f222e8a3d2f74a9206627f6c873fea0968f6

VIPKeylogger

e145d07069dd9959f941d52ba708d8d8ff14cd029ccb9133e83f3f3249c0a002

VIPKeylogger

error

VIPKeylogger

+ 3'471 additional samples on MalwareBazaar

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:donutloader family:vipkeylogger defense_evasion execution keylogger loader persistence privilege_escalation stealer

Link:

https://tria.ge/reports/260428-y5qshset7z/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Adds Run key to start application

Looks up external IP address via web service

Event Triggered Execution: Component Object Model Hijacking

Command and Scripting Interpreter: PowerShell

Detects DonutLoader

Family: DonutLoader

Family: VIPKeylogger

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c44ed6fb3fd9fd892acbb0ed7a92bc56c8b09d04e470f0496ecd9770a2064b57

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Base64_Encoded_Powershell_Directives Create hunting rule

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/63935/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample