MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c4b7eed84460dd5342f37f974a6845d7a81ab3fce075cfd4d8cf40f5a66c415. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c4b7eed84460dd5342f37f974a6845d7a81ab3fce075cfd4d8cf40f5a66c415
SHA3-384 hash: cedd6a1355bb43070ff66c3363e742ebe871405abaeb1080757f92ee78c8a4a6c979bf65f5201d630a42d91b6b12257c
SHA1 hash: 12266d5c1270e16b53a3d809376e350efe720e71
MD5 hash: 9e08d6ada08f1ee90ff36da03582543e
humanhash: solar-thirteen-april-sweet
File name:New Purchase Order.js
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:16'115'072 bytes
First seen:2026-01-16 16:34:53 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 3072:9kkVtLkkVtLkkVtLkkVtLkkVtLkkVtLkkVtLkkVtLkkVtLkkVtLkkVtLkkVtLkkd:/bbbbbbbbbbbbbbbbbbbj
Threatray 9 similar samples on MalwareBazaar
TLSH T19FF6D011327FC30CB6730A2D86F670A56ABBFB97AA75CBD801B0090D19E5D11C962F67
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika txt
Reporter abuse_ch
Tags:js VIPKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=696a68f457243ef151cd9a6e
Tags:
dropper shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 evasive masquerade obfuscated powershell powershell repaired
Link:
https://www.filescan.io/uploads/696a68dc584f1963ad5763f5/reports/51d5a13b-2331-4e05-814c-95f6bc26ea8c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/0c4b7eed84460dd5342f37f974a6845d7a81ab3fce075cfd4d8cf40f5a66c415
Verdict:
Malicious
File Type:
js
First seen:
2026-01-15T14:11:00Z UTC
Last seen:
2026-01-17T12:48:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic Trojan.JS.SAgent.sb HEUR:Trojan.Script.SAgent.gen Trojan.Taskun.TCP.C&C
Link:
https://opentip.kaspersky.com/0c4b7eed84460dd5342f37f974a6845d7a81ab3fce075cfd4d8cf40f5a66c415/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1852180
Signature
AI detected malicious Powershell script
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: MSBuild connects to smtp port
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1852180 Sample: New Purchase Order.js Startdate: 16/01/2026 Architecture: WINDOWS Score: 100 96 reallyfreegeoip.org 2->96 98 pastebin.com 2->98 100 12 other IPs or domains 2->100 112 Suricata IDS alerts for network traffic 2->112 114 Malicious sample detected (through community Yara rule) 2->114 116 Multi AV Scanner detection for submitted file 2->116 122 14 other signatures 2->122 12 wscript.exe 1 2 2->12         started        16 powershell.exe 2->16         started        18 powershell.exe 2->18         started        20 svchost.exe 2->20         started        signatures3 118 Tries to detect the country of the analysis system (by using the IP) 96->118 120 Connects to a pastebin service (likely for C&C) 98->120 process4 dnsIp5 94 C:\Users\user\AppData\Local\Temp\Roda.ps1, ASCII 12->94 dropped 154 Suspicious powershell command line found 12->154 156 Wscript starts Powershell (via cmd or directly) 12->156 158 Bypasses PowerShell execution policy 12->158 160 2 other signatures 12->160 23 powershell.exe 14 17 12->23         started        28 wscript.exe 16->28         started        30 conhost.exe 16->30         started        32 wscript.exe 18->32         started        34 conhost.exe 18->34         started        102 127.0.0.1 unknown unknown 20->102 file6 signatures7 process8 dnsIp9 104 pastebin.com 172.66.171.73, 443, 49693, 49716 CLOUDFLARENETUS United States 23->104 88 C:\Users\user\AppData\Local\Temp\xx2.vbs, ASCII 23->88 dropped 144 Writes to foreign memory regions 23->144 146 Injects a PE file into a foreign processes 23->146 148 Wscript called in batch mode (surpress errors) 23->148 36 powershell.exe 23 23->36         started        39 MSBuild.exe 15 10 23->39         started        42 powershell.exe 13 23->42         started        45 conhost.exe 23->45         started        150 Suspicious powershell command line found 28->150 152 Wscript starts Powershell (via cmd or directly) 28->152 47 powershell.exe 28->47         started        49 powershell.exe 32->49         started        file10 signatures11 process12 dnsIp13 136 Loading BitLocker PowerShell Module 36->136 51 powershell.exe 1 11 36->51         started        106 mail.ilaydapromosyon.com 37.75.10.148, 49752, 49762, 49763 BETAINTERNATIONALTR Turkey 39->106 108 api.telegram.org 149.154.166.110, 443, 49727, 49755 TELEGRAMRU United Kingdom 39->108 110 2 other IPs or domains 39->110 138 Tries to steal Mail credentials (via file / registry access) 39->138 140 Unusual module load detection (module proxying) 39->140 90 C:\...90ew Purchase Order.js:Zone.Identifier, ASCII 42->90 dropped 92 C:\Users\user\...92ew Purchase Order.js, Unicode 42->92 dropped 142 Wscript called in batch mode (surpress errors) 47->142 54 wscript.exe 47->54         started        56 conhost.exe 47->56         started        58 wscript.exe 49->58         started        60 conhost.exe 49->60         started        file14 signatures15 process16 signatures17 124 Creates autostart registry keys with suspicious values (likely registry only malware) 51->124 126 Creates autostart registry keys with suspicious names 51->126 128 Wscript starts Powershell (via cmd or directly) 54->128 62 powershell.exe 54->62         started        65 powershell.exe 58->65         started        process18 signatures19 162 Writes to foreign memory regions 62->162 164 Injects a PE file into a foreign processes 62->164 67 MSBuild.exe 62->67         started        70 powershell.exe 62->70         started        72 conhost.exe 62->72         started        74 powershell.exe 62->74         started        76 powershell.exe 65->76         started        78 MSBuild.exe 65->78         started        80 conhost.exe 65->80         started        82 powershell.exe 65->82         started        process20 signatures21 130 Tries to steal Mail credentials (via file / registry access) 67->130 132 Tries to harvest and steal browser information (history, passwords, etc) 67->132 84 powershell.exe 70->84         started        134 Loading BitLocker PowerShell Module 76->134 86 powershell.exe 76->86         started        process22
Score:
83%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0c4b7eed84460dd5342f37f974a6845d7a81ab3fce075cfd4d8cf40f5a66c415
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c4b7eed84460dd5342f37f974a6845d7a81ab3fce075cfd4d8cf40f5a66c415/
Verdict:
Malicious
Threat:
Family.VIPKEYLOGGER
Link:
https://tip.neiki.dev/file/0c4b7eed84460dd5342f37f974a6845d7a81ab3fce075cfd4d8cf40f5a66c415
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-01-16 01:47:05 UTC
File Type:
Text (JavaScript)
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=brfx53meiyg5knbpg74xjjuelv5idkz7zydvz7knrt2a6wtgyqkq._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
unc_loader_001
Create hunting rule
Similar samples:
1da392c740766d577b9c90edda753f04710798250ab6373ef07a095e1cb7a6ad
VIPKeylogger
285b52432abd3931d8728051397abcab339dad11b966397de1bd436ecf738b22
VIPKeylogger
7eab4d2fbc01c32c04781a9d2f88f911cce2e2de54920a0a9e8f5777300518c3
VIPKeylogger
7ff9f7b3d5ee5db2673b8210539b617acffd690f2b125097d51a83b750fcfebb
VIPKeylogger
90b127b083dfdcb086340fc93b24ad2407161a61e00b68e80c20db4f0b6fea42
VIPKeylogger
d7582e026e27a9e4d9047a193832fd3f1a5393336d1eb55075029e8b24118b0c
VIPKeylogger
error
VIPKeylogger
f8091ce64c34368f353d967c79bb9ef16730552c22c06857be965bc50f06c98c
VIPKeylogger
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger persistence stealer
Link:
https://tria.ge/reports/260116-t35fnsav8f/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Contacts third-party web service commonly abused for C2
Looks up external IP address via web service
Checks computer location settings
Badlisted process makes network request
VIPKeylogger
Vipkeylogger family
Malware Config
Dropper Extraction:
https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2FJS.txt?alt=media&token=8121d613-fe58-4418-80dd-328896b66ad9
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0c4b7eed84460dd5342f37f974a6845d7a81ab3fce075cfd4d8cf40f5a66c415

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments