MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58f594c518e9fdb8834536ca003f068ef18cd17dfa7638651631f22713fa9041. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58f594c518e9fdb8834536ca003f068ef18cd17dfa7638651631f22713fa9041
SHA3-384 hash: 613014841ab5f615060ea86129894b184ca6b881deb5a3087169bd2bda7088a45b3c19488fdfbd9eadbb2f811878b971
SHA1 hash: 6c995aa59e267143b11e9bbf4d6bd19930bc41cb
MD5 hash: 744880276f0cac93094e754f0130534a
humanhash: fix-mississippi-ack-skylark
File name:TRANSF JUSTIFICANTE_202508080093257.PDF.vbs
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:60'560 bytes
First seen:2025-08-08 16:41:05 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:/GF8Z/7p8QndpwqjLD5zt/RXpUypuH/bl32zPGEyMjj64ksm7YMI0t6hpbmmnO:p/5zt/RXpY
Threatray 23 similar samples on MalwareBazaar
TLSH T12A433EC4B545774177F0394AC20C2F7CB6EA86046686753A6CBF2BDE86337D92087A9C
Magika vba
Reporter abuse_ch
Tags:vbs VIPKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
29
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/19718/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689628d111d7f9b979e6ab86
Tags:
obfuscate xtreme virus
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
threat
Link:
https://www.filescan.io/uploads/689628cd9ef4d2ff7cf2e76a/reports/4122d776-e5a5-47cb-9f90-2debeaa2987b/overview
Verdict:
Suspicious
Labled as:
VBS/Agent.CEJ2
Link:
https://www.hybrid-analysis.com/sample/58f594c518e9fdb8834536ca003f068ef18cd17dfa7638651631f22713fa9041
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1753186
Signature
Bypasses PowerShell execution policy
Found Tor onion address
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Verdict:
Malware
YARA:
3 match(es)
Tags:
Batch Command DeObfuscated Html PowerShell PowerShell Call VBScript WScript.Shell
Link:
https://app.malva.re/file/744880276f0cac93094e754f0130534a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/58f594c518e9fdb8834536ca003f068ef18cd17dfa7638651631f22713fa9041/
Threat name:
Script-WScript.Spyware.Snakekeylogger
Create hunting rule
Status:
Suspicious
First seen:
2025-08-08 09:44:49 UTC
File Type:
Binary
AV detection:
8 of 24 (33.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ld2zjriy5h63ra2fg3faapygr3yyzul57j3dqziwghzcoe72sbaq._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
Similar samples:
00c925206d3ceb1af4aa2dd2cd5d666fc7a203242ea0a9ba4d3d60a4fdaae1ee
VIPKeylogger
0c60a7a985dc3e5dae7aedcccdd5370fc106959e12c59a1744744260a9cdb833
VIPKeylogger
267d2243fe320cdb65604a5d385dc0b1405596e8874fe4262f687d9f413ebf4c
VIPKeylogger
65c11f3f48285943334d96b4a9d8292b517020f40dcc3989648accdb7dfadc60
VIPKeylogger
8343e66198955a3fad718a52fc9ce96bba5cb2862ef76fce04591a047943cbcb
VIPKeylogger
a8d6f66d16d98baefb54cba98117106ad64788310db9112d1980b4ec302b5310
VIPKeylogger
b27ff5ca901be9f35f0a72a72ec97be60097a6b65829403583e98e7ccc4827b1
VIPKeylogger
d25591f0627f988edceb12fdadef30e4a856b1fa016f10043cdf2379ac234b2c
VIPKeylogger
d48e5ec3a407e3bbc0e9d9d365853a5f49fec7240c2a07d1fad88859ff753be5
VIPKeylogger
error
VIPKeylogger
fd20ff871c01baf34e31d6097525890246be32f90a163afe449c70969d9edd0d
VIPKeylogger
+ 13 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger stealer
Link:
https://tria.ge/reports/250808-t7xavsap5z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
VIPKeylogger
Vipkeylogger family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/58f594c518e9fdb8834536ca003f068ef18cd17dfa7638651631f22713fa9041

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/19718/

Comments