MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 143dc395c381185bab3f4d6dcb3ea06d4c5f35569b994ee5e7176ac2a1510316. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

VIPKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 5 File information Comments

SHA256 hash:	143dc395c381185bab3f4d6dcb3ea06d4c5f35569b994ee5e7176ac2a1510316
SHA3-384 hash:	e7e1263b7433f91554b019cdebff8245ab7a43de4fc6e5d36cf59b10f2154b7177342d38b52c5cf771aad36ae0d97cf5
SHA1 hash:	b3127dc27f090dcfba47f6aa2f4a5135020ceb6e
MD5 hash:	93d88af9487916b874ed3186c9a8a31d
humanhash:	low-mirror-tango-rugby
File name:	ENCRYPTED.ps1
Download:	download sample
Signature	VIPKeylogger Create hunting rule
File size:	1'194'125 bytes
First seen:	2026-02-18 09:31:10 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	24576:F14rznXJ3u3u2nNfbU70KneaHsdrkcGmU9gvNsJZ:F1i9ethbDGmCZ
Threatray	2'868 similar samples on MalwareBazaar
TLSH	T196451290D92ADEA00A1C5061246A1DC769800EA74C88BB297F8F9F8C1F1F61FD5767FD
Magika	powershell
Reporter	abuse_ch
Tags:	ps1 VIPKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=699587022d369b1ab284fd14

Tags:

ransomware virus shell

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

base64 powershell

Link:

https://www.filescan.io/uploads/699586eb9eaae846593c34f0/reports/8f99e10c-cc10-4e0b-98c8-8a28b55c1e73/overview

Verdict:

Suspicious

Labled as:

PowerShell/Agent.DZA trojan

Link:

https://www.hybrid-analysis.com/sample/143dc395c381185bab3f4d6dcb3ea06d4c5f35569b994ee5e7176ac2a1510316

Result

Gathering data

Verdict:

Malicious

File Type:

ps1

First seen:

2026-02-09T01:55:00Z UTC

Last seen:

2026-02-09T02:19:00Z UTC

Hits:

~10

Detections:

Trojan.Win32.InjectorNetT.s PDM:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/143dc395c381185bab3f4d6dcb3ea06d4c5f35569b994ee5e7176ac2a1510316/results?tab=lookup

Result

Threat name:

MATRIX Crypter, Snake Keylogger, VIP Key

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1871043

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected MATRIX Crypter

Yara detected Powershell decode and execute

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/143dc395c381185bab3f4d6dcb3ea06d4c5f35569b994ee5e7176ac2a1510316

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/143dc395c381185bab3f4d6dcb3ea06d4c5f35569b994ee5e7176ac2a1510316/

Verdict:

Malicious

Threat:

Family.VIPKEYLOGGER

Link:

https://tip.neiki.dev/file/143dc395c381185bab3f4d6dcb3ea06d4c5f35569b994ee5e7176ac2a1510316

Threat name:

Script-PowerShell.Trojan.XWorm

Status:

Malicious

First seen:

2026-02-10 19:00:48 UTC

AV detection:

3 of 37 (8.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cq64hfodqemfxkz7jvw4wpvanvgf6nkwtomu5zphc5vmfikramla._file

Verdict:

malicious

Label(s):

vipkeylogger

VIPKeylogger

65032d50c2a6525b8b9cc9636278a4228bbe65ed478c4cea87e40370b2954c1d

VIPKeylogger

722f03602e2f49798b90975a8abbd3270b984399f49286f876c3156aff671959

VIPKeylogger

75cc0d7abb4cb0145f0dc0639fbee4be7925dd45a38664e063095963c482ea78

VIPKeylogger

78f8b46dfdd55f7914e78f925189180f674945327ee3fa9187e2d5de86b15337

VIPKeylogger

913c3cd8ea89f18055f6c83341936078db76472f8297708e5a0bbf147823a388

VIPKeylogger

ceaa3016ce3897c17e580b58f2a41cc247de57bada3271b30aa389bcf3787ea0

VIPKeylogger

error

VIPKeylogger

+ 2'858 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

execution

Link:

https://tria.ge/reports/260218-lg952ae17h/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Command and Scripting Interpreter: PowerShell

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/143dc395c381185bab3f4d6dcb3ea06d4c5f35569b994ee5e7176ac2a1510316

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_powershell Create hunting rule
Author:	daniyyell
Description:	Detects suspicious PowerShell activity related to malware execution

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	Suspicious_PS_Strings Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	observed set of strings which are likely malicious, observed with Jupyter malware.
Reference:	http://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

VIPKeylogger

ps1 143dc395c381185bab3f4d6dcb3ea06d4c5f35569b994ee5e7176ac2a1510316

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3779554/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample