MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24f3552d3b59baef4578881daa2b70afb734f7fc02c313a30bf9b310f221260e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

VIPKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 5 File information Comments

SHA256 hash:	24f3552d3b59baef4578881daa2b70afb734f7fc02c313a30bf9b310f221260e
SHA3-384 hash:	eea38afc99a0b5e8850b75e3a91021063d1f63560793fd072de0b63d18ec094dfdb0cd66b0cc89fcf1afa376e26e6556
SHA1 hash:	ba9ee98e39c26d628e96711a335159f3b281b531
MD5 hash:	f56d430ebce70c3b499d9b577cc7e54a
humanhash:	neptune-winner-wolfram-oxygen
File name:	SECURE_nextStage.ps1
Download:	download sample
Signature	VIPKeylogger Create hunting rule
File size:	817'718 bytes
First seen:	2026-02-26 20:33:50 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	1536:8ugIJQ4RPJXXkqUXAvtjpr9ZEo+zqajKRBv/PA9+VW/Ehe/YFCqe+HvhkS/ljuy3:TPbXkqUXAvtjpr9Cqaj0VPg+P
Threatray	2'871 similar samples on MalwareBazaar
TLSH	T10C05CEB6039443BAE2D507C0421CA21A4AF6D66B74683C6DDFF35DDBBC29E832478572
Magika	powershell
Reporter	R4ruk
Tags:	ps1 VIPKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

SecuriteInfo.com.Generic-EXE.UNOFFICIAL

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69a0ae488fffa866e3b28709

Tags:

ransomware backdoor hype

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

aspnet_compiler base64 base64 evasive lolbin obfuscated obfuscated obfuscated powershell reconnaissance

Link:

https://www.filescan.io/uploads/69a0ae4597feb4afd65db3ae/reports/11c36820-10bb-4fd2-85ec-29c6483feb67/overview

Verdict:

Malicious

Labled as:

PowerShell/TrojanDropper.Agent

Link:

https://www.hybrid-analysis.com/sample/24f3552d3b59baef4578881daa2b70afb734f7fc02c313a30bf9b310f221260e

Verdict:

Malicious

File Type:

unix shell

Detections:

HEUR:Trojan.MSIL.Agent.gen

Link:

https://opentip.kaspersky.com/24f3552d3b59baef4578881daa2b70afb734f7fc02c313a30bf9b310f221260e/results?tab=lookup

Score:

95%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/24f3552d3b59baef4578881daa2b70afb734f7fc02c313a30bf9b310f221260e

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/24f3552d3b59baef4578881daa2b70afb734f7fc02c313a30bf9b310f221260e/

Verdict:

Malicious

Threat:

Family.SNAKE

Link:

https://tip.neiki.dev/file/24f3552d3b59baef4578881daa2b70afb734f7fc02c313a30bf9b310f221260e

Threat name:

Script-PowerShell.Trojan.Egairtigado

Status:

Malicious

First seen:

2026-02-26 20:34:16 UTC

File Type:

Text (PowerShell)

AV detection:

13 of 37 (35.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=etzvklj3lg5o6rlyrao2uk3qv63tj574albrhiyl7gzrb4rbeyha._file

Verdict:

malicious

Label(s):

fantomcrypt

vipkeylogger

VIPKeylogger

50681a74fd565805b9fa7d22dcb00ff4578b6821cdefb8c4d0f0da619f5621ca

VIPKeylogger

722f03602e2f49798b90975a8abbd3270b984399f49286f876c3156aff671959

VIPKeylogger

75cc0d7abb4cb0145f0dc0639fbee4be7925dd45a38664e063095963c482ea78

VIPKeylogger

78f8b46dfdd55f7914e78f925189180f674945327ee3fa9187e2d5de86b15337

VIPKeylogger

ceaa3016ce3897c17e580b58f2a41cc247de57bada3271b30aa389bcf3787ea0

VIPKeylogger

e90adc72a53422843d36133d4fed1a6e77149e7e2a81aa751a97a2460645850e

VIPKeylogger

error

VIPKeylogger

+ 2'861 additional samples on MalwareBazaar

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery execution keylogger stealer

Link:

https://tria.ge/reports/260226-zch3msfs6a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

VIPKeylogger

Vipkeylogger family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/24f3552d3b59baef4578881daa2b70afb734f7fc02c313a30bf9b310f221260e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_powershell Create hunting rule
Author:	daniyyell
Description:	Detects suspicious PowerShell activity related to malware execution

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	rhadamanthys_ps1_v1 Create hunting rule
Author:	RandomMalware

Rule name:	SUSP_PS1_FromBase64String_Content_Indicator_RID3714 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious base64 encoded PowerShell expressions
Reference:	https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)