MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2ab8dcab70822c839912cb672e93de459e5608bea210c78a1be56b54cbd8f81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2ab8dcab70822c839912cb672e93de459e5608bea210c78a1be56b54cbd8f81
SHA3-384 hash: b0c76bc398c5bfed7d376c162870ca5928bc6c4d80168de4a7e5192fff99755387b11c4217763212c4db6b0dd86e0c6f
SHA1 hash: 7306897a6482a9c25e60712f38b9cec69e6a872e
MD5 hash: 5f37d70ffef59cb5bc0a7d488bb9f924
humanhash: johnny-kentucky-uranus-alaska
File name:SWIFT_Advice_Ref16032026.bat
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:249'719 bytes
First seen:2026-03-17 08:09:00 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/html
ssdeep 6144:PkcmTifygb0IcaThczPfAdRicpX2ikm4qU3XXJbCPYgq:Pwiy86cRicM5m4qqJbC6
Threatray 2'903 similar samples on MalwareBazaar
TLSH T1C634F1624DC46FA9DFE86A1890FF070D13E4DB9F15656589FB237D02AEFB804429B0D8
Magika batch
Reporter lowmal3
Tags:bat VIPKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
BatchScript
Details
Link:
https://research.acce.ciphertechsolutions.com/results/6bfcd022-431e-4619-b26f-72d39e09d316/
Malware family:
n/a
ID:
1
File name:
SWIFT_Advice_Ref16032026.bat
Verdict:
Malicious activity
Analysis date:
2026-03-17 08:10:42 UTC
Tags:
auto-reg evasion snake keylogger telegram stealer spyware exfiltration smtp susp-powershell donutloader loader
Link:
https://app.any.run/tasks/b937a2c8-0001-4469-b525-35bb53435d88

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57714/
Detection(s):
SecuriteInfo.com.PowerShell.MulDrop.503.13510.16265.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b90c3893b644ca466ad8fe
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
Malicious
Labled as:
PowerShell/TrojanDropper.Agent
Link:
https://www.hybrid-analysis.com/sample/d2ab8dcab70822c839912cb672e93de459e5608bea210c78a1be56b54cbd8f81
Verdict:
Malicious
File Type:
html
Detections:
Trojan-PSW.Win32.Xploder.sb Trojan-PSW.Win32.Stelega.sb Trojan.Win32.Shellcode.sb Trojan.PowerShell.Cobalt.sb Backdoor.MSIL.Cardinal.sb Exploit.Win64.Shellcode.sliverloader.a HEUR:Trojan.BAT.Cobalt.gen Trojan-PSW.Win32.Stealer.sb Trojan-Dropper.Win32.Injector.sb Backdoor.Win32.Androm.sb PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/d2ab8dcab70822c839912cb672e93de459e5608bea210c78a1be56b54cbd8f81/results?tab=lookup
Result
Threat name:
DonutLoader, Snake Keylogger, VIP Keylog
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1884714
Signature
Bypasses PowerShell execution policy
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the prolog of user mode functions (user mode inline hooks)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses attrib.exe to hide files
Uses cmd line tools excessively to alter registry or file data
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected DonutLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1884714 Sample: SWIFT_Advice_Ref16032026.bat Startdate: 17/03/2026 Architecture: WINDOWS Score: 100 92 reallyfreegeoip.org 2->92 94 api.telegram.org 2->94 96 2 other IPs or domains 2->96 110 Suricata IDS alerts for network traffic 2->110 112 Found malware configuration 2->112 114 Malicious sample detected (through community Yara rule) 2->114 120 14 other signatures 2->120 13 cmd.exe 1 2->13         started        16 mshta.exe 1 2->16         started        signatures3 116 Tries to detect the country of the analysis system (by using the IP) 92->116 118 Uses the Telegram API (likely for C&C communication) 94->118 process4 signatures5 152 Suspicious powershell command line found 13->152 154 Uses cmd line tools excessively to alter registry or file data 13->154 156 Encrypted powershell cmdline option found 13->156 158 2 other signatures 13->158 18 cmd.exe 4 13->18         started        22 conhost.exe 13->22         started        24 cmd.exe 1 16->24         started        process6 file7 78 C:\Users\user\AppData\Roaming\...\SERIOUS.cmd, HTML 18->78 dropped 80 C:\Users\user\AppData\Roaming\...\Cluster.hta, HTML 18->80 dropped 122 Suspicious powershell command line found 18->122 124 Uses cmd line tools excessively to alter registry or file data 18->124 126 Encrypted powershell cmdline option found 18->126 26 powershell.exe 30 18->26         started        30 powershell.exe 16 18->30         started        32 conhost.exe 18->32         started        38 3 other processes 18->38 34 cmd.exe 1 24->34         started        36 conhost.exe 24->36         started        signatures8 process9 file10 82 C:\Users\user\AppData\Local\...\dplq4da4.0.cs, C++ 26->82 dropped 84 C:\Users\user\AppData\...\2rwoxprt.cmdline, Unicode 26->84 dropped 136 Injects code into the Windows Explorer (explorer.exe) 26->136 138 Writes to foreign memory regions 26->138 140 Creates a thread in another existing process (thread injection) 26->140 40 explorer.exe 44 4 26->40 injected 44 csc.exe 3 26->44         started        47 csc.exe 3 26->47         started        86 C:\Users\user\AppData\Local\...\DIALOGUE.ps1, Unicode 30->86 dropped 142 Found suspicious powershell code related to unpacking or dynamic code loading 30->142 144 Compiles code for process injection (via .Net compiler) 30->144 146 Suspicious powershell command line found 34->146 148 Uses cmd line tools excessively to alter registry or file data 34->148 150 Encrypted powershell cmdline option found 34->150 49 powershell.exe 15 34->49         started        51 conhost.exe 34->51         started        53 reg.exe 1 34->53         started        55 3 other processes 34->55 signatures11 process12 dnsIp13 98 api.telegram.org 149.154.166.110, 443, 49717 TELEGRAMRU United Kingdom 40->98 100 checkip.dyndns.com 193.122.130.0, 49701, 49703, 49705 ORACLE-BMC-31898US United States 40->100 102 reallyfreegeoip.org 172.67.177.134, 443, 49702, 49704 CLOUDFLARENETUS United States 40->102 128 System process connects to network (likely due to code injection or exploit) 40->128 130 Tries to steal Mail credentials (via file / registry access) 40->130 132 Tries to harvest and steal browser information (history, passwords, etc) 40->132 134 Unusual module load detection (module proxying) 40->134 57 mshta.exe 40->57         started        88 C:\Users\user\AppData\Local\...\dplq4da4.dll, PE32 44->88 dropped 59 cvtres.exe 1 44->59         started        90 C:\Users\user\AppData\Local\...\2rwoxprt.dll, PE32 47->90 dropped 61 cvtres.exe 1 47->61         started        file14 signatures15 process16 process17 63 cmd.exe 57->63         started        process18 65 cmd.exe 63->65         started        68 conhost.exe 63->68         started        signatures19 104 Suspicious powershell command line found 65->104 106 Uses cmd line tools excessively to alter registry or file data 65->106 108 Encrypted powershell cmdline option found 65->108 70 conhost.exe 65->70         started        72 attrib.exe 65->72         started        74 attrib.exe 65->74         started        76 3 other processes 65->76 process20
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d2ab8dcab70822c839912cb672e93de459e5608bea210c78a1be56b54cbd8f81
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2ab8dcab70822c839912cb672e93de459e5608bea210c78a1be56b54cbd8f81/
Verdict:
Malicious
Threat:
Family.SNAKE
Link:
https://tip.neiki.dev/file/d2ab8dcab70822c839912cb672e93de459e5608bea210c78a1be56b54cbd8f81
Threat name:
Script-PowerShell.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-03-17 05:09:07 UTC
File Type:
Text (Batch)
AV detection:
10 of 22 (45.45%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2kvy3svxbarmqomrfs3hf2j54rm6kyel5iqqy6fbxzllktf5r6aq._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
vipkeylogger
Create hunting rule
Similar samples:
0590bcf46064f75a3383dbb84c3f1365b5684f414e0dd0de4504034aaeedf088
VIPKeylogger
5e70b2297e5a00483901cb15f342af5d974c4662f52a64aa35586fb6b820aa08
VIPKeylogger
61061bd61fd9b9abc52c6041993114456744e4bde92f22423daea647b7f02c5b
VIPKeylogger
74de71d06d873e0cc8d6d92c2a340a6b7be6f5867772edf7790bff0297814636
VIPKeylogger
938046c9235f3c5d7257011d9c7e55ed08c342517a38e83c132b6c06f689f0c1
VIPKeylogger
c1ac4217e48ba5dcd89a543db47563a12b7e402193145d7d71ae7b3351cad47b
VIPKeylogger
c890ac9696d1c6e2469d18e24bbb8b32b0cfe63e14ad0d23ecd2a2bb2a10d071
VIPKeylogger
c9fe8a53f318210648f805094af93245fb05c4bf3e36d07be96c07ad434eb096
VIPKeylogger
error
VIPKeylogger
+ 2'893 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:vipkeylogger collection defense_evasion discovery execution keylogger loader persistence stealer
Link:
https://tria.ge/reports/260317-j2avkagx3w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
outlook_office_path
outlook_win_path
Browser Information Discovery
Accesses Microsoft Outlook profiles
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Detects DonutLoader
DonutLoader
Donutloader family
VIPKeylogger
Vipkeylogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot8177500259:AAHuZUtGMHUKkjN3M1Qi8DVi8S2hm8vMaiM/sendMessage?chat_id=7727828833
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d2ab8dcab70822c839912cb672e93de459e5608bea210c78a1be56b54cbd8f81

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

VIPKeylogger

Batch (bat) bat d2ab8dcab70822c839912cb672e93de459e5608bea210c78a1be56b54cbd8f81

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/57714/

Comments