MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9fe8a53f318210648f805094af93245fb05c4bf3e36d07be96c07ad434eb096. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9fe8a53f318210648f805094af93245fb05c4bf3e36d07be96c07ad434eb096
SHA3-384 hash: 4a3aefd1b0f4ff51d5e3201836c6c9e158f775f536e4adab474225561fcdce76e66451930206d4096b450d06dee7045a
SHA1 hash: c9ea890f78823c6fba067fa4a6175bacb20e26da
MD5 hash: 00007b961ae96ab358b1ec9195e55231
humanhash: carpet-leopard-chicken-alpha
File name:Copia de comprobante de transferencia 02-03-2026.exe
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:306'176 bytes
First seen:2026-02-03 13:34:24 UTC
Last seen:2026-02-03 14:23:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 051cad3135c349095999b0202ddb44ad (1 x VIPKeylogger)
ssdeep 6144:vX1e6noWyYRRUZJHwGQubj3TQSRvohyraJ5E+a0Tcb/:fobYkbHrQuZy4+a0T
Threatray 2'582 similar samples on MalwareBazaar
TLSH T1D654237619793BBFE8DFBA341420F160574A05ABA7F45B346B02A3806B973195EECC03
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter threatcat_ch
Tags:exe VIPKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
135
Origin country :
CH CH
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
Copia de comprobante de transferencia 02-03-2026.exe
Verdict:
Malicious activity
Analysis date:
2026-02-03 13:35:54 UTC
Tags:
evasion snake keylogger telegram stealer ftp donutloader loader
Link:
https://app.any.run/tasks/22103756-f358-4229-81f6-fcbad411d366

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51448/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6981f968183032faf3eeeb78
Tags:
phishing backdoor virus hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Connecting to a non-recommended domain
Creating a window
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
hacktool packed
Link:
https://www.filescan.io/uploads/6981f969981ff1d38a468390/reports/1fe98740-89e7-43ee-ba53-ee5d386b092b/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/c9fe8a53f318210648f805094af93245fb05c4bf3e36d07be96c07ad434eb096
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-02-03T05:53:00Z UTC
Last seen:
2026-02-05T05:47:00Z UTC
Hits:
~1000
Detections:
Trojan-Spy.Stealer.FTP.C&C Trojan.Win64.Agentb.sb HEUR:Trojan-PSW.MSIL.Stealer.gen PDM:Trojan.Win32.Generic Trojan.Win64.DonutInjector.sb Trojan.Win32.Agent.sb Trojan-PSW.SnakeLogger.HTTP.C&C Trojan-PSW.MSIL.Stealer.sb Trojan.Win32.Shellcode.mar Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.Stealer.sb Trojan.Win64.Donut.sb Trojan.Win32.Shellcode.sb VHO:Backdoor.MSIL.Agent.gen VHO:Trojan.Win32.Injuke.gen
Link:
https://opentip.kaspersky.com/c9fe8a53f318210648f805094af93245fb05c4bf3e36d07be96c07ad434eb096/results?tab=lookup
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b923c9aa-dd14-42e4-a9b4-9f733465feb4
Result
Threat name:
DonutLoader, Snake Keylogger, VIP Keylog
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1862428
Signature
Antivirus detection for URL or domain
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses the Telegram API (likely for C&C communication)
Yara detected DonutLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c9fe8a53f318210648f805094af93245fb05c4bf3e36d07be96c07ad434eb096
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9fe8a53f318210648f805094af93245fb05c4bf3e36d07be96c07ad434eb096/
Verdict:
Malicious
Threat:
Family.SNAKE
Link:
https://tip.neiki.dev/file/c9fe8a53f318210648f805094af93245fb05c4bf3e36d07be96c07ad434eb096
Threat name:
Win64.Trojan.Snakekeylogger
Create hunting rule
Status:
Malicious
First seen:
2026-02-03 12:19:06 UTC
File Type:
PE+ (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zh7iuu7tdaqqmshyaueuv6jsix5qlrf7hy3na67jnqd22q2owcla._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
vipkeylogger
Create hunting rule
Similar samples:
1a9dedcdb3fa783b8211f36d2eeb9791e78df7dfedcecd4b08608484aea3c1bf
VIPKeylogger
3215c8d11f86adfb39aa9334aacefb4d61643669fd2bcd3a5068117187c775cf
VIPKeylogger
386e075c4b38ed2f8a1288d41f3d3508ff84337a0f9507c51f46ad01eb0c1613
VIPKeylogger
c9fe8a53f318210648f805094af93245fb05c4bf3e36d07be96c07ad434eb096
VIPKeylogger
cb0abae850df78ff16fd40f2f6b3ea4f88edc5fb10ef670b4e6439c45d92ebaa
VIPKeylogger
e2ce99e1e13320ce7b3daaa486701a5587a3692905d9ce91bc75c4e498ce2983
VIPKeylogger
error
VIPKeylogger
f097265db58ea07710bbc2d2f9e2c0287082cca33a1e4df4e388854ce677ff67
VIPKeylogger
fbfa970adebde6e46f5f73d868d1568c8119bbd15e4cc77324c018cc5314cff3
VIPKeylogger
+ 2'572 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:vipkeylogger collection discovery keylogger loader spyware stealer
Link:
https://tria.ge/reports/260203-qvctxaby5e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Browser Information Discovery
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Detects DonutLoader
DonutLoader
Donutloader family
VIPKeylogger
Vipkeylogger family
Unpacked files
SH256 hash:
c9fe8a53f318210648f805094af93245fb05c4bf3e36d07be96c07ad434eb096
MD5 hash:
00007b961ae96ab358b1ec9195e55231
SHA1 hash:
c9ea890f78823c6fba067fa4a6175bacb20e26da
Link:
https://www.unpac.me/results/232a7595-d039-42aa-8a4a-b76c7fb2582e/
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c9fe8a53f318/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9fe8a53f318210648f805094af93245fb05c4bf3e36d07be96c07ad434eb096

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

VIPKeylogger

Executable exe c9fe8a53f318210648f805094af93245fb05c4bf3e36d07be96c07ad434eb096

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/51448/

Comments