MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de054d8f9b649022d29cfcf89c05e8468e765fb5a5543d25abe29b9e41a3abae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de054d8f9b649022d29cfcf89c05e8468e765fb5a5543d25abe29b9e41a3abae
SHA3-384 hash: dd45245810c1da625f818fcc50f807468fa7cde470959becda01b5b1e28787fb2be8ad3f47c2c6cd405197398acfd69a
SHA1 hash: 2d3e8c16e34f4ab8558db4d88bb8e836ff2c1b66
MD5 hash: 470beefecdb60d9ac07858f83395f900
humanhash: glucose-louisiana-xray-papa
File name:DHL TecoMecFF1557004015.bat
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:202'387 bytes
First seen:2025-09-12 14:48:02 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 6144:WR4FkR4CQi7OZG47qAzPKH0lHobbfB7Oc35W+hq8m7x7I:WwrCp7OZGelPKHvbfB7Oc35W+hq8Ix8
Threatray 1'078 similar samples on MalwareBazaar
TLSH T1B614073DCAB0FDD0432F31E49A6E3B46218D5B53B7720B2CFAD0496619A5546EF3A24C
Magika batch
Reporter abuse_ch
Tags:bat DHL VIPKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
45
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHLTecoMecFF1557004015.bat
Verdict:
Malicious activity
Analysis date:
2025-09-12 14:55:36 UTC
Tags:
evasion snake keylogger telegram stealer susp-powershell
Link:
https://app.any.run/tasks/05aea2a9-8ff8-4c3f-bae6-420de6b58261

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
VIPKeyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/27178/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c433206e66ba602d7afb01
Tags:
obfuscate xtreme shell
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated
Link:
https://www.filescan.io/uploads/68c433c4dbc6f5a29c421d5e/reports/c3c72d04-7500-4e61-9385-397b1fb672c5/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/de054d8f9b649022d29cfcf89c05e8468e765fb5a5543d25abe29b9e41a3abae
Verdict:
Clean
File Type:
text
First seen:
2025-09-12T06:01:00Z UTC
Last seen:
2025-09-12T06:01:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/de054d8f9b649022d29cfcf89c05e8468e765fb5a5543d25abe29b9e41a3abae/results?tab=lookup
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1776570
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1776570 Sample: DHL TecoMecFF1557004015.bat Startdate: 12/09/2025 Architecture: WINDOWS Score: 100 25 reallyfreegeoip.org 2->25 27 api.telegram.org 2->27 29 2 other IPs or domains 2->29 39 Suricata IDS alerts for network traffic 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 49 12 other signatures 2->49 9 cmd.exe 1 2->9         started        signatures3 45 Tries to detect the country of the analysis system (by using the IP) 25->45 47 Uses the Telegram API (likely for C&C communication) 27->47 process4 signatures5 59 Suspicious powershell command line found 9->59 12 cmd.exe 1 9->12         started        14 conhost.exe 9->14         started        process6 process7 16 cmd.exe 3 12->16         started        signatures8 37 Suspicious powershell command line found 16->37 19 powershell.exe 19 28 16->19         started        23 conhost.exe 16->23         started        process9 dnsIp10 31 checkip.dyndns.com 132.226.8.169, 49687, 80 UTMEMUS United States 19->31 33 api.telegram.org 149.154.167.220, 443, 49691 TELEGRAMRU United Kingdom 19->33 35 reallyfreegeoip.org 104.21.48.1, 443, 49688 CLOUDFLARENETUS United States 19->35 51 Tries to steal Mail credentials (via file / registry access) 19->51 53 Tries to harvest and steal browser information (history, passwords, etc) 19->53 55 Found suspicious powershell code related to unpacking or dynamic code loading 19->55 57 Loading BitLocker PowerShell Module 19->57 signatures11
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/de054d8f9b649022d29cfcf89c05e8468e765fb5a5543d25abe29b9e41a3abae
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de054d8f9b649022d29cfcf89c05e8468e765fb5a5543d25abe29b9e41a3abae/
Verdict:
Malicious
Threat:
Family.SNAKE
Link:
https://tip.neiki.dev/file/de054d8f9b649022d29cfcf89c05e8468e765fb5a5543d25abe29b9e41a3abae
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ycu3d43msicfuu47t4jybpii2hhmx5vuvkd2jnl4knz4qndvoxa._file
Verdict:
malicious
Label(s):
404keylogger
Create hunting rule
Similar samples:
2e6129b0aa7aed4e1161b9e09d14a2f5637cfd426e97fce1e95b0bee7ac28826
VIPKeylogger
4c4325b30bdd642079ff785e3cb3b7b71f556a8880c106fe8d160da35f6a6124
VIPKeylogger
90b230c7b8c4991a8f657bc8031157a9070c24eb3de9cd074241985dc99489c0
VIPKeylogger
b355c43bd26f9727f4a9461afe6ee78995deceb671ebfddc6f7cf895cc663a02
VIPKeylogger
ca8cf8aa0bab28b391de182e61cf7f9e8f8464717ab971384b73db628aef7267
VIPKeylogger
cbc366eb88520c2f1a9c0db8a7f5318b4f8a9a0993352a31d877c63e8abc8d0c
VIPKeylogger
e2140c6390f7696be2a70de9072137210c6ec238e5586fce237917a2082bbdd9
VIPKeylogger
e7f7a21ee9aaf1f982d222aa7637f8f32c88c44e0b24d9a470fe5ccc47ee55fe
VIPKeylogger
error
VIPKeylogger
+ 1'068 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger stealer
Link:
https://tria.ge/reports/250912-r8zfhahp4x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Badlisted process makes network request
VIPKeylogger
Vipkeylogger family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/de054d8f9b649022d29cfcf89c05e8468e765fb5a5543d25abe29b9e41a3abae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/27178/

Comments