MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 588d349625e246ab2fb2c991a898220befc3891d9f9848783519d87cdfd82e7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 588d349625e246ab2fb2c991a898220befc3891d9f9848783519d87cdfd82e7d
SHA3-384 hash: 45af1c99e987389184394dc9f1119bc96469955c6fc590067455fdfaef36b371d1674ac714ec7aa0d643555b850891e0
SHA1 hash: 4afb01eec5c931ba9dc9c703c47f3afcfa5e9062
MD5 hash: c9debc37938dd4c7731b0de839c8bd08
humanhash: high-tennis-mobile-tennis
File name:ENCRYPTED.ps1
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:1'197'105 bytes
First seen:2026-02-18 09:30:58 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 24576:hPqoHrFARERreXnWkyk4AyYcYwUvcTqrxCN7:ZqU9sy3AmYXeP
Threatray 2'863 similar samples on MalwareBazaar
TLSH T1874523A1FEAD6D140B95E2266095AD049AA50B4B1C4CB58F3F8C38DE0F1F6CF84765CE
Magika powershell
Reporter abuse_ch
Tags:ps1 VIPKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
53
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.PowerShell.Packed.221.7542.3172.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699586fb2d369b1ab284fcec
Tags:
vmdetect
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm powershell
Link:
https://www.filescan.io/uploads/699586ed97feb4afd6499d6d/reports/37591c5d-ecfc-4c38-bbe7-b732647271c7/overview
Verdict:
Malicious
Labled as:
PowerShell_Agent_DZG_trojan
Link:
https://www.hybrid-analysis.com/sample/588d349625e246ab2fb2c991a898220befc3891d9f9848783519d87cdfd82e7d
Verdict:
Malicious
File Type:
ps1
Detections:
Trojan.Win32.InjectorNetT.s PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/588d349625e246ab2fb2c991a898220befc3891d9f9848783519d87cdfd82e7d/results?tab=lookup
Result
Threat name:
MATRIX Crypter, Snake Keylogger, VIP Key
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1871046
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
AI detected malicious Powershell script
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected MATRIX Crypter
Yara detected Powershell decode and execute
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
Score:
97%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/588d349625e246ab2fb2c991a898220befc3891d9f9848783519d87cdfd82e7d
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/588d349625e246ab2fb2c991a898220befc3891d9f9848783519d87cdfd82e7d/
Verdict:
Malicious
Threat:
Family.VIPKEYLOGGER
Link:
https://tip.neiki.dev/file/588d349625e246ab2fb2c991a898220befc3891d9f9848783519d87cdfd82e7d
Threat name:
Script-PowerShell.Trojan.XWorm
Create hunting rule
Status:
Malicious
First seen:
2026-02-17 17:35:33 UTC
AV detection:
5 of 23 (21.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lcgtjfrf4jdkwl5szgi2rgbcbpx4hci5t6meq6bvdhmhzx6yfz6q._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
Similar samples:
03ffd9138d53cd6d65d05e242d9775a3b51201a0d556d208a69509e7be0455b7
VIPKeylogger
3a0655a9973e8d7600f228240e1c3494b0acc55f46f218f42c12138d8ab73014
VIPKeylogger
50681a74fd565805b9fa7d22dcb00ff4578b6821cdefb8c4d0f0da619f5621ca
VIPKeylogger
75cc0d7abb4cb0145f0dc0639fbee4be7925dd45a38664e063095963c482ea78
VIPKeylogger
82d522f59433a213747eee3225ea33d1c1f2976a3a4a3412fe92e436f734c2f2
VIPKeylogger
ceaa3016ce3897c17e580b58f2a41cc247de57bada3271b30aa389bcf3787ea0
VIPKeylogger
error
VIPKeylogger
+ 2'853 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger stealer
Link:
https://tria.ge/reports/260218-lg9t9se17d/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
VIPKeylogger
Vipkeylogger family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/588d349625e246ab2fb2c991a898220befc3891d9f9848783519d87cdfd82e7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

VIPKeylogger

PowerShell (PS) ps1 588d349625e246ab2fb2c991a898220befc3891d9f9848783519d87cdfd82e7d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3779566/
  
Delivery method
Distributed via web download

Comments