MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbfa970adebde6e46f5f73d868d1568c8119bbd15e4cc77324c018cc5314cff3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fbfa970adebde6e46f5f73d868d1568c8119bbd15e4cc77324c018cc5314cff3
SHA3-384 hash: 7c51c043f0742af3750d3a6ac7902cba6a4a9d302fa8d6c9edf1cd118bc9336c04048cd7d20370382b8315bb91ebae3d
SHA1 hash: fe9f9ec665aec853e03c01e6f8c7210076142794
MD5 hash: 6e5634b01b67b0dbfc8fe4a3a96e2cf1
humanhash: yellow-wisconsin-glucose-football
File name:ORDER CONFIRMATION_pdf.exe
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:309'760 bytes
First seen:2026-01-28 12:43:02 UTC
Last seen:2026-02-05 15:55:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a6575984dc975b0d1678d7d86b67443c (1 x VIPKeylogger)
ssdeep 6144:yo2/o5sb5BCJRYLhDWQZbFYWWmoWXQAAXkR8CSI8+mTYE8BWUQHMANAj:rsHCbYLhD5yDWIXkR8CSvdH8BWUGNA
Threatray 2'516 similar samples on MalwareBazaar
TLSH T1B5642352580F1152DC25A2B43964A0BD6CE8B6D0D0C6BB96DD38E2B73AD63B35E4827C
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter lowmal3
Tags:exe VIPKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
ORDER CONFIRMATION_pdf.exe
Verdict:
Malicious activity
Analysis date:
2026-01-28 12:45:56 UTC
Tags:
snake keylogger evasion telegram stealer ftp donutloader loader
Link:
https://app.any.run/tasks/8b7fa150-261d-431e-863c-9c97d4b07a6f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/50512/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697a04706fa3eed1652fe32a
Tags:
underscore phishing snake
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Сreating synchronization primitives
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Connecting to a non-recommended domain
Creating a window
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypto hacktool masm masquerade packed snakestealer
Link:
https://www.filescan.io/uploads/697a046d4156786ccbdcc868/reports/4bbf7831-8b70-49f4-8208-657993eb2b86/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/fbfa970adebde6e46f5f73d868d1568c8119bbd15e4cc77324c018cc5314cff3
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-28T06:39:00Z UTC
Last seen:
2026-01-30T09:37:00Z UTC
Hits:
~1000
Detections:
Trojan.Win64.Donut.sb Trojan.Win32.Agent.sb Trojan-PSW.SnakeLogger.HTTP.C&C Trojan-PSW.MSIL.Stealer.sb VHO:Trojan.Win32.Shellcode.lpq HEUR:Trojan-PSW.MSIL.Stealer.gen Trojan.Win32.Shellcode.sb Trojan-Spy.Stealer.FTP.C&C Trojan.Win64.Agentb.sb PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.Stealer.sb Trojan.Win64.DonutInjector.sb Trojan.Win64.Shellcode.DonutInjector.sb Trojan.Win32.Shellcode.lpq VHO:Trojan.Win32.Shellcode.gen Trojan.Win32.Shellcode.DonutInjector.sb VHO:Backdoor.Win32.PMax.gen
Link:
https://opentip.kaspersky.com/fbfa970adebde6e46f5f73d868d1568c8119bbd15e4cc77324c018cc5314cff3/results?tab=lookup
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f5fba9f1-2caf-42bf-b64f-e15e7badf9d9
Result
Threat name:
DonutLoader, Snake Keylogger, VIP Keylog
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1858971
Signature
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses the Telegram API (likely for C&C communication)
Yara detected DonutLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fbfa970adebde6e46f5f73d868d1568c8119bbd15e4cc77324c018cc5314cff3
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fbfa970adebde6e46f5f73d868d1568c8119bbd15e4cc77324c018cc5314cff3/
Verdict:
Malicious
Threat:
Family.SNAKE
Link:
https://tip.neiki.dev/file/fbfa970adebde6e46f5f73d868d1568c8119bbd15e4cc77324c018cc5314cff3
Threat name:
Win64.Trojan.DonutLoader
Create hunting rule
Status:
Malicious
First seen:
2026-01-28 12:43:25 UTC
File Type:
PE+ (Exe)
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7p5jocw6xxtoi327opmgrukwrsarto6rlzgmo4zeyammyuyuz7zq._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
Similar samples:
1a9dedcdb3fa783b8211f36d2eeb9791e78df7dfedcecd4b08608484aea3c1bf
VIPKeylogger
3215c8d11f86adfb39aa9334aacefb4d61643669fd2bcd3a5068117187c775cf
VIPKeylogger
386e075c4b38ed2f8a1288d41f3d3508ff84337a0f9507c51f46ad01eb0c1613
VIPKeylogger
3f30eb884452a6b86c47244eaaf528b7e517b6ac85a6c85099e57d7c69fd944b
VIPKeylogger
799fda3ecc1dd25a3100b87ab8b41678a32ac761ecf75f59167eb77f91e0a3a1
VIPKeylogger
cb0abae850df78ff16fd40f2f6b3ea4f88edc5fb10ef670b4e6439c45d92ebaa
VIPKeylogger
e2ce99e1e13320ce7b3daaa486701a5587a3692905d9ce91bc75c4e498ce2983
VIPKeylogger
error
VIPKeylogger
fbfa970adebde6e46f5f73d868d1568c8119bbd15e4cc77324c018cc5314cff3
VIPKeylogger
+ 2'506 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:vipkeylogger collection discovery keylogger loader spyware stealer
Link:
https://tria.ge/reports/260128-px4vqsas7c/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Browser Information Discovery
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Detects DonutLoader
DonutLoader
Donutloader family
VIPKeylogger
Vipkeylogger family
Unpacked files
SH256 hash:
fbfa970adebde6e46f5f73d868d1568c8119bbd15e4cc77324c018cc5314cff3
MD5 hash:
6e5634b01b67b0dbfc8fe4a3a96e2cf1
SHA1 hash:
fe9f9ec665aec853e03c01e6f8c7210076142794
Link:
https://www.unpac.me/results/a06f30fb-b7d9-4bc6-822c-39bcdd0e9909/
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fbfa970adebd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fbfa970adebde6e46f5f73d868d1568c8119bbd15e4cc77324c018cc5314cff3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

VIPKeylogger

Executable exe fbfa970adebde6e46f5f73d868d1568c8119bbd15e4cc77324c018cc5314cff3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/50512/

Comments