MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8115cc0506a6265a0714ab5d151bb7cd8032c999fea2987edd343b8e76cdbcf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



VIPKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash: c8115cc0506a6265a0714ab5d151bb7cd8032c999fea2987edd343b8e76cdbcf
SHA3-384 hash: 126a43b10ecbedbb9c253e9d34b1470d2dcd0ab49d4617731d2fc7e8461e78ff482170f0a4316856768cd0294adf5d18
SHA1 hash: 9ccc6361cee498ddc5ee589dd91c485feae4ad64
MD5 hash: d1b914147acfdea7ae6e3eaa3c6df00c
humanhash: leopard-jersey-quebec-harry
File name:Checklist Approval.hta
Download: download sample
Signature VIPKeylogger
File size:1'264'805 bytes
First seen:2026-07-01 06:43:41 UTC
Last seen:2026-07-01 06:56:26 UTC
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 24576:lqRLhgiR19Li+h1BsuxtmZxdTYOqr+WuaXm0WvCGsrhhMHv8Ob+hzH7hkkGc:lwGW1Y+2x/TgMv8g8bh3
Threatray 2'756 similar samples on MalwareBazaar
TLSH T127453321796D2F540668D33B21172F5E0E76AF43A868A0DF39CC98CE6F93A61C947D70
Magika txt
Reporter lowmal3
Tags:hta VIPKeylogger

Intelligence


File Origin
# of uploads :
8
# of downloads :
74
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
99.9%
Tags:
autoit emotet zbot
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dropper obfuscated
Verdict:
Malicious
File Type:
hta
First seen:
2026-06-30T08:27:00Z UTC
Last seen:
2026-07-02T02:44:00Z UTC
Hits:
~10000
Detections:
HEUR:Trojan.Script.Generic HEUR:Trojan.PowerShell.Kryptik.gen Trojan.Win32.Shellcode.sb Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.Stealer.sb Trojan-Dropper.Win32.Injector.sb Trojan.JS.SAgent.sb Trojan-Dropper.JS.SDrop.sb PDM:Trojan.Win32.Generic Backdoor.Win32.Androm.sb HEUR:Worm.Script.Generic
Result
Threat name:
Koadic, DonutLoader, Snake Keylogger, VI
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected DonutLoader
Yara detected Koadic BAT payload
Yara detected malicious HTA
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1935907 Sample: Checklist Approval.hta Startdate: 01/07/2026 Architecture: WINDOWS Score: 100 52 reallyfreegeoip.org 2->52 54 api.telegram.org 2->54 56 2 other IPs or domains 2->56 66 Suricata IDS alerts for network traffic 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 76 15 other signatures 2->76 10 mshta.exe 2 2->10         started        14 vijewyufveonabghulluonouceyasi.exe 2->14         started        16 vijewyufveonabghulluonouceyasi.exe 2->16         started        18 svchost.exe 1 1 2->18         started        signatures3 72 Tries to detect the country of the analysis system (by using the IP) 52->72 74 Uses the Telegram API (likely for C&C communication) 54->74 process4 dnsIp5 50 C:\Users\user\AppData\...\tmp875274.bat.gz, gzip 10->50 dropped 90 Suspicious powershell command line found 10->90 21 cmd.exe 2 10->21         started        24 powershell.exe 21 10->24         started        92 Writes to foreign memory regions 14->92 94 Allocates memory in foreign processes 14->94 96 Creates a thread in another existing process (thread injection) 14->96 27 charmap.exe 14->27         started        29 charmap.exe 16->29         started        58 127.0.0.1 unknown unknown 18->58 file6 signatures7 process8 file9 46 C:\Users\user\AppData\...\aqxuklgowzoifs.ps1, ASCII 21->46 dropped 31 powershell.exe 1 28 21->31         started        33 conhost.exe 21->33         started        48 C:\Users\user\AppData\Local\...\tmp875274.bat, ASCII 24->48 dropped 84 Found suspicious powershell code related to unpacking or dynamic code loading 24->84 35 conhost.exe 24->35         started        86 Tries to steal Mail credentials (via file / registry access) 27->86 88 Tries to harvest and steal browser information (history, passwords, etc) 27->88 signatures10 process11 process12 37 vijewyufveonabghulluonouceyasi.exe 31->37         started        40 conhost.exe 31->40         started        signatures13 78 Writes to foreign memory regions 37->78 80 Allocates memory in foreign processes 37->80 82 Creates a thread in another existing process (thread injection) 37->82 42 charmap.exe 15 2 37->42         started        process14 dnsIp15 60 api.telegram.org 149.154.166.110, 443, 49717, 49733 TELEGRAMVG United Kingdom 42->60 62 checkip.dyndns.com 193.122.130.0, 49701, 49703, 49705 ORACLE-BMC-31898-OracleCorporationUS United States 42->62 64 reallyfreegeoip.org 104.21.67.152, 443, 49702, 49704 CLOUDFLARENET-CloudflareIncUS Canada 42->64 98 Tries to steal Mail credentials (via file / registry access) 42->98 100 Unusual module load detection (module proxying) 42->100 signatures16
Gathering data
Threat name:
Document-HTML.Infostealer.Zeus
Status:
Malicious
First seen:
2026-06-30 13:33:26 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
6 of 36 (16.67%)
Threat level:
  5/5
Result
Malware family:
vipkeylogger
Score:
  10/10
Tags:
family:donutloader family:vipkeylogger collection discovery execution keylogger loader persistence stealer
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Detects DonutLoader
Family: DonutLoader
Family: VIPKeylogger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BlackGuard_Rule
Author:Jiho Kim
Description:Yara rule for BlackGuarad Stealer v1.0 - v3.0
Reference:https://www.virustotal.com/gui/file/67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71/detection
Rule name:html_auto_download_b64
Author:Tdawg
Description:html auto download
Rule name:telebot_framework
Author:vietdx.mb

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

VIPKeylogger

HTML Application (hta) hta c8115cc0506a6265a0714ab5d151bb7cd8032c999fea2987edd343b8e76cdbcf

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments