MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e463f87a0c098ff8bcbc4c262e9eddf3dea51148d2ba9d12c64addb21e2ff978. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 19


Intelligence 19 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e463f87a0c098ff8bcbc4c262e9eddf3dea51148d2ba9d12c64addb21e2ff978
SHA3-384 hash: 3d59caa2ab5909b3e5acd8ef0d112628f73843a527a67a09b2d2583c6cccd4488035c633328bd751cf41aa4c072b92cc
SHA1 hash: be549d82dc39e2d0733c9b40dbf8bb0949494834
MD5 hash: dbea99565e29b2f1f39892ce2855ec73
humanhash: lemon-white-sierra-georgia
File name:RFQ S04-SQ26050120.exe
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:991'232 bytes
First seen:2026-05-12 16:56:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'935 x AgentTesla, 19'826 x Formbook, 12'310 x SnakeKeylogger)
ssdeep 12288:cZIrKemgnnPWlYrriBjvvvTqagWQyA50UC/u3Xg/ATDnFMEzWRB55MYZLb0HT0M7:uIbmJlOi3yWM0xuKAtMYavOgVnTW7
Threatray 2'888 similar samples on MalwareBazaar
TLSH T16F2512681663D517C99003358E71F7B816BD1FCEF842E157AFE8AD9FB62BB081C18192
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe VIPKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/b3946c6d-24dd-4f3a-9c74-ed0566f9a860/
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-05-12 16:57:37 UTC
Tags:
evasion auto-reg snake keylogger telegram stealer spyware
Link:
https://app.any.run/tasks/ffb8c7c3-8f1b-438a-bde4-52c679725ad4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
VIPKeyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/65738/
Detection(s):
SecuriteInfo.com.Trojan.Siggen32.41154.18469736.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a035bffaf3df31fa889c640
Tags:
backdoor micro shell
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
krypt packed
Link:
https://www.filescan.io/uploads/6a035bfa792fe2d217b0ef21/reports/38261356-82f1-4ff8-a2b5-ef8e0be30834/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e463f87a0c098ff8bcbc4c262e9eddf3dea51148d2ba9d12c64addb21e2ff978
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-12T12:33:00Z UTC
Last seen:
2026-05-14T14:01:00Z UTC
Hits:
~1000
Detections:
HEUR:Trojan-PSW.MSIL.Stealer.gen Trojan.MSIL.Inject.sb Trojan.MSIL.Dnoper.sb VHO:Trojan.MSIL.Inject.gen Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.Stealer.sb Trojan.Win32.Agent.sb Trojan.MSIL.Crypt.sb PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.Agent.sb
Link:
https://opentip.kaspersky.com/e463f87a0c098ff8bcbc4c262e9eddf3dea51148d2ba9d12c64addb21e2ff978/results?tab=lookup
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3f80039c-154b-4e4e-95d5-f94c8301c85e
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1912416
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
AI detected malicious Powershell script
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected UAC Bypass using CMSTP
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1912416 Sample: RFQ S04-SQ26050120.exe Startdate: 12/05/2026 Architecture: WINDOWS Score: 100 53 reallyfreegeoip.org 2->53 55 api.telegram.org 2->55 57 2 other IPs or domains 2->57 73 Suricata IDS alerts for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 83 22 other signatures 2->83 8 RFQ S04-SQ26050120.exe 1 7 2->8         started        12 powershell.exe 19 2->12         started        14 powershell.exe 2->14         started        signatures3 79 Tries to detect the country of the analysis system (by using the IP) 53->79 81 Uses the Telegram API (likely for C&C communication) 55->81 process4 file5 39 C:\Users\user\AppData\Roaming\ygyUBNR.exe, PE32 8->39 dropped 41 C:\Users\user\...\ygyUBNR.exe:Zone.Identifier, ASCII 8->41 dropped 43 C:\Users\user\AppData\...\gjamyoucyyu.ps1, ASCII 8->43 dropped 45 C:\Users\user\...\RFQ S04-SQ26050120.exe.log, ASCII 8->45 dropped 85 Creates autostart registry keys with suspicious values (likely registry only malware) 8->85 87 Creates an autostart registry key pointing to binary in C:\Windows 8->87 89 Adds a directory exclusion to Windows Defender 8->89 91 Injects a PE file into a foreign processes 8->91 16 RFQ S04-SQ26050120.exe 15 2 8->16         started        20 powershell.exe 23 8->20         started        22 ygyUBNR.exe 3 12->22         started        24 conhost.exe 12->24         started        26 ygyUBNR.exe 14->26         started        28 conhost.exe 14->28         started        signatures6 process7 dnsIp8 47 api.telegram.org 149.154.166.110, 443, 49712, 49743 TELEGRAMRU United Kingdom 16->47 49 checkip.dyndns.com 193.122.130.0, 49693, 49696, 49698 ORACLE-BMC-31898US United States 16->49 51 reallyfreegeoip.org 104.21.67.152, 443, 49694, 49695 CLOUDFLARENETUS United States 16->51 63 Tries to steal Mail credentials (via file / registry access) 16->63 65 Loading BitLocker PowerShell Module 20->65 30 conhost.exe 20->30         started        67 Antivirus detection for dropped file 22->67 69 Multi AV Scanner detection for dropped file 22->69 71 Injects a PE file into a foreign processes 22->71 32 ygyUBNR.exe 22->32         started        35 ygyUBNR.exe 26->35         started        37 ygyUBNR.exe 26->37         started        signatures9 process10 signatures11 59 Tries to steal Mail credentials (via file / registry access) 35->59 61 Tries to harvest and steal browser information (history, passwords, etc) 35->61
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e463f87a0c098ff8bcbc4c262e9eddf3dea51148d2ba9d12c64addb21e2ff978
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.19 Win 32 Exe x86
Link:
https://app.malva.re/file/dbea99565e29b2f1f39892ce2855ec73
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e463f87a0c098ff8bcbc4c262e9eddf3dea51148d2ba9d12c64addb21e2ff978/
Verdict:
Malicious
Threat:
Family.SNAKE
Link:
https://tip.neiki.dev/file/e463f87a0c098ff8bcbc4c262e9eddf3dea51148d2ba9d12c64addb21e2ff978
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-05-12 15:47:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4rr7q6qmbgh7rpf4jqtc5hw56ppkkeki2k5j2ewgjlo3ehrp7f4a._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
vipkeylogger
Create hunting rule
Similar samples:
09b8a80183a41a92c60fbacf9ee319291e37ae6d4ce0521b23b236b46e095956
VIPKeylogger
1d2a2b5e545def1978b91058fe027033b646d1bc1876b219b0963a073141e867
VIPKeylogger
7db983607b14ea67a3d656542e033ba69fdbd3a4bcb7bea0251205d219ab71bd
VIPKeylogger
8ece82ad36ddad1e13a955098ea9629364950ed21a1155d7be4921208e62eb0c
VIPKeylogger
99f8a75fb301a60588d16fc659fda59f2c48cddfd2d3a730cf9a97d98b1b6023
VIPKeylogger
d6255b39e2be431e6226c8414b75721a16c114960f8a87acc06ea9fa7563006f
VIPKeylogger
error
VIPKeylogger
faa236eaf11ddab3abe7dcc8c69613d89edf60da47060bf6dc881fa9e118cd9e
VIPKeylogger
+ 2'878 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger persistence spyware stealer
Link:
https://tria.ge/reports/260512-vghkfse171/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Family: VIPKeylogger
Malware Config
C2 Extraction:
https://api.telegram.org/bot8099843793:AAGeYKMLti1IpyT9o6bz7OtgdXF9md25uXA/sendMessage?chat_id=6337180137
Unpacked files
SH256 hash:
e463f87a0c098ff8bcbc4c262e9eddf3dea51148d2ba9d12c64addb21e2ff978
MD5 hash:
dbea99565e29b2f1f39892ce2855ec73
SHA1 hash:
be549d82dc39e2d0733c9b40dbf8bb0949494834
Link:
https://www.unpac.me/results/125c2dc7-54d9-4a47-8666-5b20c81612f1/
SH256 hash:
3c855bbfae22eaccd00cb2947bf2f05fb733a99b4df7a767a7614be4086807e7
MD5 hash:
df945bc1cc642d673d52736f827cf6a4
SHA1 hash:
074684d7341a15208e584b6aa6cd8a6bc7d6cc99
Detections:
triage_snakekeylogger_infostealer
Create hunting rule
Link:
https://www.unpac.me/results/125c2dc7-54d9-4a47-8666-5b20c81612f1/
Parent samples :
6ea116b59ac03c3211143de70e7ed3843d57a39b0c87936e58d1c5c8e17b439b
2b1709a9c749ff0e6bca3643813dd090ac492a20104666259f65939d5e0c40b0
9d5c8e9c41ff08b0a3be489ac1ef0f014f2749ad0e3217af2e0665c514a072fc
e463f87a0c098ff8bcbc4c262e9eddf3dea51148d2ba9d12c64addb21e2ff978
SH256 hash:
15e25f4815617d089d2bd7f2e4fa926f95a610a648e5a0580a1fd7b176eec9ea
MD5 hash:
1b8b1107dcd0dd465df952e4ca580dc4
SHA1 hash:
1e3e0fc696d3cf9aabc4697360b3cb085a565670
Link:
https://www.unpac.me/results/125c2dc7-54d9-4a47-8666-5b20c81612f1/
SH256 hash:
76106c072ed2281b10e7194dbc72d62eee252f3972418b7a51a870e8f96e47bd
MD5 hash:
834293dbbdcbe23006fe868880be1e8c
SHA1 hash:
870cca87d75df978314a42df89d19570c2c51039
Link:
https://www.unpac.me/results/125c2dc7-54d9-4a47-8666-5b20c81612f1/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e463f87a0c09/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e463f87a0c098ff8bcbc4c262e9eddf3dea51148d2ba9d12c64addb21e2ff978

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

VIPKeylogger

Executable exe e463f87a0c098ff8bcbc4c262e9eddf3dea51148d2ba9d12c64addb21e2ff978

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/65738/

Comments