MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 369291d0a225ac4683f2a3b01d6643946d3b4e1bf75538ea8896ff38ee2573ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 369291d0a225ac4683f2a3b01d6643946d3b4e1bf75538ea8896ff38ee2573ce
SHA3-384 hash: be6967889114bcc2d70bf3356675c1337b4036615b9bb7bbedc1202c33dd0757e706e7c955395afc9723cfc3d4aa1667
SHA1 hash: a2f5019a14aac2e9a0b248726291409ffe21eb85
MD5 hash: 19d1c4d2fe4818f2123ebabd62aad665
humanhash: mexico-solar-kitten-pip
File name:Encrypted_Script.ps1
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:1'089'036 bytes
First seen:2025-12-09 13:09:37 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 24576:0TfLi8Lmc5vwgUIoFHEgMadmAIGT+vHKD6kQu8up:0NmcNwg+/mA9+PKOPf0
Threatray 2'945 similar samples on MalwareBazaar
TLSH T10D3523B07EE63EAE46BCC73F61694F38AAA02B54845459CF73EEA4C443EE601B44F451
Magika powershell
Reporter abuse_ch
Tags:ps1 VIPKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
56
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69381fc6a675b653bd0f616d
Tags:
ransomware vmdetect backdoor hype
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm aspnet_compiler base64 evasive lolbin obfuscated obfuscated powershell reconnaissance
Link:
https://www.filescan.io/uploads/69381fc3ff25e40750d956e9/reports/4a6183e1-0913-4734-9624-ddc13651a51b/overview
Verdict:
Malicious
Labled as:
PowerShell/Agent.DRW trojan
Link:
https://www.hybrid-analysis.com/sample/369291d0a225ac4683f2a3b01d6643946d3b4e1bf75538ea8896ff38ee2573ce
Verdict:
Malicious
File Type:
ps1
First seen:
2025-12-08T08:29:00Z UTC
Last seen:
2025-12-09T10:30:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.Stealer.sb Trojan.Win32.InjectorNetT.s PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.Agent.sb
Link:
https://opentip.kaspersky.com/369291d0a225ac4683f2a3b01d6643946d3b4e1bf75538ea8896ff38ee2573ce/results?tab=lookup
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1829447
Signature
.NET source code references suspicious native API functions
AI detected malicious Powershell script
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Powershell decode and execute
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/369291d0a225ac4683f2a3b01d6643946d3b4e1bf75538ea8896ff38ee2573ce
Verdict:
inconclusive
YARA:
1 match(es)
Tags:
Base64 Block Contains Base64 Block PowerShell
Link:
https://app.malva.re/file/19d1c4d2fe4818f2123ebabd62aad665
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/369291d0a225ac4683f2a3b01d6643946d3b4e1bf75538ea8896ff38ee2573ce/
Verdict:
Malicious
Threat:
Family.SNAKE
Link:
https://tip.neiki.dev/file/369291d0a225ac4683f2a3b01d6643946d3b4e1bf75538ea8896ff38ee2573ce
Threat name:
Script-PowerShell.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2025-12-08 21:54:58 UTC
AV detection:
5 of 24 (20.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g2jjdufcewwena7suoyb2zsdsrwtwtq365ktr2uis37tr3rfopha._file
Verdict:
malicious
Label(s):
fantomcrypt
Create hunting rule
vipkeylogger
Create hunting rule
Similar samples:
65032d50c2a6525b8b9cc9636278a4228bbe65ed478c4cea87e40370b2954c1d
VIPKeylogger
722f03602e2f49798b90975a8abbd3270b984399f49286f876c3156aff671959
VIPKeylogger
7693bac5a927633eff56819ee7ab55dea7d03c2b25286b335380b2afa053fff5
VIPKeylogger
78f8b46dfdd55f7914e78f925189180f674945327ee3fa9187e2d5de86b15337
VIPKeylogger
d6f0f38727c762b36df15c44ef60ca77e766fb4f961634b21f4a2c806c481038
VIPKeylogger
error
VIPKeylogger
+ 2'935 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger stealer
Link:
https://tria.ge/reports/251209-qekvkshl7t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
VIPKeylogger
Vipkeylogger family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/369291d0a225ac4683f2a3b01d6643946d3b4e1bf75538ea8896ff38ee2573ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

VIPKeylogger

PowerShell (PS) ps1 369291d0a225ac4683f2a3b01d6643946d3b4e1bf75538ea8896ff38ee2573ce

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3729376/
  
Delivery method
Distributed via web download

Comments