MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c4334177584d7aee981ada042ff60124cd81a2e51e7c1514f7e2dd22f9335b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c4334177584d7aee981ada042ff60124cd81a2e51e7c1514f7e2dd22f9335b4
SHA3-384 hash: a42374e7b3cbebc9727aad3c4178a1a1987621ad31444c10386fe34dcc9583e9fa1d3c93576a28c4f44e5ec3f54aadbe
SHA1 hash: 96692be9dcd400a38be42fc651d755f41d923efc
MD5 hash: 82fe72e4395ab69063ae37812e097fa5
humanhash: indigo-oxygen-massachusetts-whiskey
File name:Draft doc PI ITS15235
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:2'262'031 bytes
First seen:2025-02-18 14:21:02 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 49152:jQ901eMu/JNdX1kXGyMaODU9cXx1YY0YYYYKYYcYYYfLtYsYYYtY/YYYYUFYYcY+:Q
Threatray 27 similar samples on MalwareBazaar
TLSH T1CEA52630B12B5B764DD686682CDF298B2EE28F438896F529964449F31FFD3216125CFC
Magika vba
Reporter lowmal3
Tags:vbs VIPKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28953.VbsHeur.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Base64EXE-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b4db6a28ab76d43a5ba6af
Tags:
valyria agentb delphi emotet
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context dropper exploit fingerprint keylogger obfuscated obfuscated packed redcap
Link:
https://www.filescan.io/uploads/67b49765991985e0a95b3b9e/reports/c688682e-1b1b-422e-b973-204fa9d41311/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8c4334177584d7aee981ada042ff60124cd81a2e51e7c1514f7e2dd22f9335b4
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
DBatLoader, PureLog Stealer, Snake Keylo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1618356
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected PureLog Stealer
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1618356 Sample: Draft doc PI ITS15235.vbs Startdate: 18/02/2025 Architecture: WINDOWS Score: 100 55 reallyfreegeoip.org 2->55 57 api.telegram.org 2->57 59 3 other IPs or domains 2->59 83 Suricata IDS alerts for network traffic 2->83 85 Found malware configuration 2->85 87 Malicious sample detected (through community Yara rule) 2->87 93 17 other signatures 2->93 9 wscript.exe 2 2->9         started        13 Naisrtpf.PIF 2->13         started        15 Naisrtpf.PIF 2->15         started        signatures3 89 Tries to detect the country of the analysis system (by using the IP) 55->89 91 Uses the Telegram API (likely for C&C communication) 57->91 process4 file5 53 C:\Users\user\AppData\Local\Temp\x.exe, PE32 9->53 dropped 95 Benign windows process drops PE files 9->95 97 VBScript performs obfuscated calls to suspicious functions 9->97 99 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->99 17 x.exe 1 8 9->17         started        101 Antivirus detection for dropped file 13->101 103 Multi AV Scanner detection for dropped file 13->103 105 Writes to foreign memory regions 13->105 21 fptrsiaN.pif 13->21         started        107 Allocates memory in foreign processes 15->107 109 Sample uses process hollowing technique 15->109 111 Allocates many large memory junks 15->111 23 fptrsiaN.pif 15->23         started        signatures6 process7 file8 43 C:\Windows \SysWOW64\svchost.pif, PE32+ 17->43 dropped 45 C:\Windows \SysWOW6445ETUTILS.dll, PE32+ 17->45 dropped 47 C:\Users\Public\Libraries\fptrsiaN.pif, PE32 17->47 dropped 49 2 other malicious files 17->49 dropped 67 Antivirus detection for dropped file 17->67 69 Multi AV Scanner detection for dropped file 17->69 71 Drops PE files with a suspicious file extension 17->71 77 5 other signatures 17->77 25 fptrsiaN.pif 15 2 17->25         started        29 cmd.exe 1 17->29         started        31 cmd.exe 3 17->31         started        73 Tries to steal Mail credentials (via file / registry access) 23->73 75 Tries to harvest and steal browser information (history, passwords, etc) 23->75 signatures9 process10 dnsIp11 61 mail.irco.com.sa 46.151.208.21, 49773, 49790, 49793 NASHIRNET-ASNNASHIRNETASNSA Saudi Arabia 25->61 63 checkip.dyndns.com 132.226.8.169, 49731, 49734, 49736 UTMEMUS United States 25->63 65 2 other IPs or domains 25->65 113 Detected unpacking (changes PE section rights) 25->113 115 Detected unpacking (overwrites its own PE header) 25->115 117 Tries to steal Mail credentials (via file / registry access) 25->117 33 extrac32.exe 1 29->33         started        37 conhost.exe 29->37         started        39 ndpha.pif 29->39         started        41 conhost.exe 31->41         started        signatures12 process13 file14 51 C:\Users\Public\ndpha.pif, PE32 33->51 dropped 79 Drops PE files to the user root directory 33->79 81 Drops PE files with a suspicious file extension 33->81 signatures15
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/8c4334177584d7aee981ada042ff60124cd81a2e51e7c1514f7e2dd22f9335b4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c4334177584d7aee981ada042ff60124cd81a2e51e7c1514f7e2dd22f9335b4/
Threat name:
Script-WScript.Trojan.ModiLoader
Create hunting rule
Status:
Malicious
First seen:
2025-02-14 19:45:58 UTC
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rrbtif3vqtl252mbvwqef73acjgnqgrokht4cukppyw5el4tgw2a._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc
VIPKeylogger
048cd5681bad97fa342f12ace152238c14602511f38478442cbda10c91f70ca1
VIPKeylogger
1b934dccc814a0d5248fa34256f192fc6e97bd322e23876bc5c751a11d0b1ed0
VIPKeylogger
3f7d4827bfbe25072981dbe089ca358e317f42218d654cf31486cdf9598c16be
VIPKeylogger
64f5db0e506c5eb6e017743991cdc6d015737d6776100b0a9906f0256e42ee6f
VIPKeylogger
7f4f4ef2223cbbb0414aa57e69f04a88315727dc1ce91ca24e6d27bf6f936ef1
VIPKeylogger
820a12d9d465245b47965d8d82101411b57fdb064e89322a84bf9a0f5599254f
VIPKeylogger
829c1085c285c81e564ad392ff0b37622ae962a08e237a68f8960f9ddf1eac2e
VIPKeylogger
a8ad0cb7c6c4d332bc50ca8af649af8877555a79e0d4d1df3cad1ea68acd26fb
VIPKeylogger
e5c3febab37a06659361fbfb93aff167b685270ba63a71a86fa9892379abfbf3
VIPKeylogger
error
VIPKeylogger
+ 17 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:vipkeylogger collection discovery keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/250218-xrj75sxnw6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
VIPKeylogger
Vipkeylogger family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c4334177584d7aee981ada042ff60124cd81a2e51e7c1514f7e2dd22f9335b4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

VIPKeylogger

Visual Basic Script (vbs) vbs 8c4334177584d7aee981ada042ff60124cd81a2e51e7c1514f7e2dd22f9335b4

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments