MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c890ac9696d1c6e2469d18e24bbb8b32b0cfe63e14ad0d23ecd2a2bb2a10d071. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c890ac9696d1c6e2469d18e24bbb8b32b0cfe63e14ad0d23ecd2a2bb2a10d071
SHA3-384 hash: 79073d37d1935151acc80d157dce4373440644c915d93c317c63e303b5247ebc8c006de6294f758bf1348ae9cbb529aa
SHA1 hash: a4437f5661ec50e649f558f72a0d2569b138e75e
MD5 hash: 56f1132a6610fad86371ed0574f5d6d9
humanhash: alabama-item-december-romeo
File name:PUCHASR ORDER - 4551194455.exe
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:307'712 bytes
First seen:2026-02-04 14:01:26 UTC
Last seen:2026-02-04 14:26:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b3268c6695493109f8e62e5bec097245 (1 x VIPKeylogger)
ssdeep 6144:rhqmX4zebJfWFoyFtj3/pDocvdauZH6eMG+xgWUTgQkp9+OSPg5yPmFXkvU7Dwsu:rQmIi9fWNTxPaKH6eMG+rUkQksoggD8j
Threatray 2'599 similar samples on MalwareBazaar
TLSH T1696422A0EB4F1BA7F948293913F3A730CDE305B34D4298C983D4A05B6D14AD5467BCC6
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter threatcat_ch
Tags:exe VIPKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
CH CH
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
PUCHASR ORDER - 4551194455.exe
Verdict:
Malicious activity
Analysis date:
2026-02-04 14:02:08 UTC
Tags:
snake keylogger evasion telegram stealer
Link:
https://app.any.run/tasks/57057ebf-299d-4746-9f93-6f72c89b6b78

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
VIPKeyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/51693/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6983516d6b1af47db72cd067
Tags:
phishing backdoor virus hype
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c890ac9696d1c6e2469d18e24bbb8b32b0cfe63e14ad0d23ecd2a2bb2a10d071
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-02-04T06:21:00Z UTC
Last seen:
2026-02-05T11:41:00Z UTC
Hits:
~10000
Detections:
Trojan-Spy.Stealer.FTP.C&C Trojan-PSW.Win32.Stelega.sb Trojan.MSIL.Donut.sb HEUR:Trojan-PSW.MSIL.Stealer.gen Trojan.Win32.Shellcode.sb Trojan.Win32.Agent.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.SnakeLogger.HTTP.C&C Trojan-PSW.MSIL.Stealer.sb Trojan.Win64.Agentb.sb VHO:Trojan.Win32.Shellcode.mce HEUR:Trojan.Win32.Generic Trojan.Win64.DonutInjector.sb Trojan.Win64.Donut.sb VHO:Trojan-PSW.MSIL.Agent.gen Trojan.Win32.Shellcode.mce VHO:Trojan.Win32.Agent.gen
Link:
https://opentip.kaspersky.com/c890ac9696d1c6e2469d18e24bbb8b32b0cfe63e14ad0d23ecd2a2bb2a10d071/results?tab=lookup
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f3fd37c-51be-4d5f-9eb1-1ae844556f36
Result
Threat name:
DonutLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1863293
Signature
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Sets debug register (to hijack the execution of another thread)
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected DonutLoader
Behaviour
Behavior Graph:
Download SVG
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c890ac9696d1c6e2469d18e24bbb8b32b0cfe63e14ad0d23ecd2a2bb2a10d071
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/56f1132a6610fad86371ed0574f5d6d9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c890ac9696d1c6e2469d18e24bbb8b32b0cfe63e14ad0d23ecd2a2bb2a10d071/
Verdict:
Malicious
Threat:
Family.SNAKE
Link:
https://tip.neiki.dev/file/c890ac9696d1c6e2469d18e24bbb8b32b0cfe63e14ad0d23ecd2a2bb2a10d071
Threat name:
Win64.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2026-02-04 11:44:08 UTC
File Type:
PE+ (Exe)
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zcikzfuw2hdoeru5ddrexo4lgkym7zr6cswq2i7m2krlwkqq2byq._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
donutloader
Create hunting rule
Similar samples:
1a9dedcdb3fa783b8211f36d2eeb9791e78df7dfedcecd4b08608484aea3c1bf
VIPKeylogger
3215c8d11f86adfb39aa9334aacefb4d61643669fd2bcd3a5068117187c775cf
VIPKeylogger
386e075c4b38ed2f8a1288d41f3d3508ff84337a0f9507c51f46ad01eb0c1613
VIPKeylogger
c890ac9696d1c6e2469d18e24bbb8b32b0cfe63e14ad0d23ecd2a2bb2a10d071
VIPKeylogger
c9fe8a53f318210648f805094af93245fb05c4bf3e36d07be96c07ad434eb096
VIPKeylogger
cb0abae850df78ff16fd40f2f6b3ea4f88edc5fb10ef670b4e6439c45d92ebaa
VIPKeylogger
e2ce99e1e13320ce7b3daaa486701a5587a3692905d9ce91bc75c4e498ce2983
VIPKeylogger
error
VIPKeylogger
fbfa970adebde6e46f5f73d868d1568c8119bbd15e4cc77324c018cc5314cff3
VIPKeylogger
+ 2'589 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:vipkeylogger collection discovery keylogger loader stealer
Link:
https://tria.ge/reports/260204-rb8ynsez4h/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Detects DonutLoader
DonutLoader
Donutloader family
VIPKeylogger
Vipkeylogger family
Unpacked files
SH256 hash:
c890ac9696d1c6e2469d18e24bbb8b32b0cfe63e14ad0d23ecd2a2bb2a10d071
MD5 hash:
56f1132a6610fad86371ed0574f5d6d9
SHA1 hash:
a4437f5661ec50e649f558f72a0d2569b138e75e
Link:
https://www.unpac.me/results/699cf923-170f-473b-8bdb-e92760383ea4/
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c890ac9696d1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c890ac9696d1c6e2469d18e24bbb8b32b0cfe63e14ad0d23ecd2a2bb2a10d071

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

VIPKeylogger

Executable exe c890ac9696d1c6e2469d18e24bbb8b32b0cfe63e14ad0d23ecd2a2bb2a10d071

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/51693/

Comments