MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 277f240b535154d223c8231a5a5ae346fa94e86bb28e8319b24ba734c9d11ffe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 277f240b535154d223c8231a5a5ae346fa94e86bb28e8319b24ba734c9d11ffe
SHA3-384 hash: e8a685d4e27fa5b2ec626c4b849e93beedc769465b7c29ef6b84909c1c5f4c98e710ac0acac7fcd126ff109d98a7e580
SHA1 hash: 19812d10b6c843009c262020126252c0a3db2903
MD5 hash: 54d924b92ffc58d88914d49c260a3d25
humanhash: whiskey-lemon-football-moon
File name:Scanned-Doc-t00778786867-QUO.LNK
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:202'623 bytes
First seen:2025-05-07 09:32:52 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 6144:zM4hyPAQ41p9pL2HkuJDRF1so7CSym0ReD:zM0Zv1zZGH6oTy3ReD
Threatray 20 similar samples on MalwareBazaar
TLSH T12E14F292DF7A2FD9FF3C597C086E1A4A0C9D2E323C31C4F59A67150741286E617A2C2B
Magika lnk
Reporter abuse_ch
Tags:lnk VIPKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.LNK.PowerShell.Download-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681b29336c95617a27b5b744
Tags:
vmdetect delphi emotet
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/277f240b535154d223c8231a5a5ae346fa94e86bb28e8319b24ba734c9d11ffe/results/dashboard
Payload URLs
URL
File name
https://link.storjshare.io/raw/jwhe3gzbudisllsiaxgwiuuumi6a/mi-newuploads/huntta.txt','C:\\ProgramData\\HEW.GIF');
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
PWSH.Downloader.D.Generic
Link:
https://www.hybrid-analysis.com/sample/277f240b535154d223c8231a5a5ae346fa94e86bb28e8319b24ba734c9d11ffe
Result
Threat name:
DBatLoader, Snake Keylogger, VIP Keylogg
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1683086
Signature
.NET source code contains potential unpacker
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Encrypted powershell cmdline option found
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious PowerShell Download and Execute Pattern
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to download and execute files (via powershell)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Powershell download and execute
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1683086 Sample: Scanned-Doc-t00778786867-QU... Startdate: 07/05/2025 Architecture: WINDOWS Score: 100 52 reallyfreegeoip.org 2->52 54 api.telegram.org 2->54 56 4 other IPs or domains 2->56 80 Suricata IDS alerts for network traffic 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 90 20 other signatures 2->90 9 powershell.exe 14 22 2->9         started        14 rundll32.exe 3 2->14         started        signatures3 86 Tries to detect the country of the analysis system (by using the IP) 52->86 88 Uses the Telegram API (likely for C&C communication) 54->88 process4 dnsIp5 64 link.storjshare.io 136.0.77.2, 443, 49692, 49698 EGIHOSTINGUS United States 9->64 50 C:\ProgramData\CHROME.PIF, PE32 9->50 dropped 102 Drops PE files with a suspicious file extension 9->102 104 Found suspicious powershell code related to unpacking or dynamic code loading 9->104 106 Powershell drops PE file 9->106 16 CHROME.PIF 9 9->16         started        20 conhost.exe 1 9->20         started        22 Zzqqvvpi.PIF 14->22         started        file6 signatures7 process8 file9 44 C:\Users\user\Links\ipvvqqzZ.pif, PE32 16->44 dropped 46 C:\Users\user\Links\Zzqqvvpi.PIF (copy), PE32 16->46 dropped 48 C:\Users\user\Links\Zzqqvvpi, OpenPGP 16->48 dropped 66 Windows shortcut file (LNK) starts blacklisted processes 16->66 68 Drops PE files to the user root directory 16->68 70 Drops PE files with a suspicious file extension 16->70 78 2 other signatures 16->78 24 ipvvqqzZ.pif 15 2 16->24         started        28 cmd.exe 1 16->28         started        30 cmd.exe 1 16->30         started        32 cmd.exe 1 16->32         started        72 Writes to foreign memory regions 22->72 74 Allocates memory in foreign processes 22->74 76 Sample uses process hollowing technique 22->76 34 ipvvqqzZ.pif 2 22->34         started        signatures10 process11 dnsIp12 58 server276.web-hosting.com 68.65.123.120, 49718, 49735, 587 NAMECHEAP-NETUS United States 24->58 60 checkip.dyndns.com 132.226.247.73, 49700, 49702, 49703 UTMEMUS United States 24->60 62 2 other IPs or domains 24->62 92 Detected unpacking (changes PE section rights) 24->92 94 Detected unpacking (overwrites its own PE header) 24->94 96 Tries to steal Mail credentials (via file / registry access) 24->96 98 Uses schtasks.exe or at.exe to add and modify task schedules 28->98 36 conhost.exe 28->36         started        38 conhost.exe 30->38         started        40 schtasks.exe 1 30->40         started        42 conhost.exe 32->42         started        100 Tries to harvest and steal browser information (history, passwords, etc) 34->100 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/277f240b535154d223c8231a5a5ae346fa94e86bb28e8319b24ba734c9d11ffe/
Threat name:
Script-PowerShell.Trojan.Boxter
Create hunting rule
Status:
Malicious
First seen:
2025-05-07 09:33:17 UTC
File Type:
Binary
Extracted files:
1
AV detection:
19 of 37 (51.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e57sic2tkfknei6iemnfuwxdi35jj2dlwkhiggnsjottjsord77a._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
dbatloader
Create hunting rule
unc_loader_001
Create hunting rule
Similar samples:
787fb1570efc6506d971041dd3bb978af7e9caa00e257ec00542338189bff326
VIPKeylogger
83cf46d97ff17059d13fec2ffed67b59ae0836a26d04eab09c3447fb6da7cde0
VIPKeylogger
9034398fd454299b2a318ca872e370de2ec0949eff0baa668409079b5cc3d1c6
VIPKeylogger
a0d767fd05c090d8d2f7f32b4a545fa5256e80962ec54facdaf2ac89f8acb3f7
VIPKeylogger
b662371c1c5432f0afe379c120312a067671bbc44157971350df21d0c59e5cc1
VIPKeylogger
e27129d1d44ca69f37a0eb4794edabca8cfdc3fad6d98acad30444d0d4a9bcb8
VIPKeylogger
error
VIPKeylogger
fa03c08a95fb19f15ca8a54581263536dd93317309b7f0a3865663e58b4a20ec
VIPKeylogger
fb9e0b4298f1727f9be78e30fed5916dc226491d46b12d69b3321b77b9a22445
VIPKeylogger
+ 10 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:vipkeylogger collection discovery execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/250507-lh97essny5/
Behaviour
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
VIPKeylogger
Vipkeylogger family
Malware Config
Dropper Extraction:
https://link.storjshare.io/raw/jwhe3gzbudisllsiaxgwiuuumi6a/mi-newuploads/huntta.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/277f240b535154d223c8231a5a5ae346fa94e86bb28e8319b24ba734c9d11ffe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Large_filesize_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies shortcut (LNK) file larger than 100KB. Most goodware LNK files are smaller than 100KB.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_SuspiciousCommands
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects LNK file with suspicious content
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments