MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 913c3cd8ea89f18055f6c83341936078db76472f8297708e5a0bbf147823a388. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

VIPKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 5 File information Comments

SHA256 hash:	913c3cd8ea89f18055f6c83341936078db76472f8297708e5a0bbf147823a388
SHA3-384 hash:	726063538c81bfac0a8cb60112bb28f13500bd9ad3982ca0c0d0affdd351225cb3cdfcf5f132bcac74ecde160aefbe9c
SHA1 hash:	0069a4011c26fc77e6ac205717b43e37cc631320
MD5 hash:	93190b7b3f6bee85eac5a8f0286cb90d
humanhash:	hawaii-montana-cup-mike
File name:	ENCRYPTED.ps1
Download:	download sample
Signature	VIPKeylogger Create hunting rule
File size:	1'196'653 bytes
First seen:	2026-02-18 09:30:13 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	24576:W1Juf+1A7pQeyaNsdi/T8/Etcv294Kt1qA8ZRSDOyO:Wu2qKV/5Q1CSSd
Threatray	2'873 similar samples on MalwareBazaar
TLSH	T18C451211C94ACD29826C8125242A6CCB5A804E735C54BBA67FAF4B8D1F1F64FC5723FE
Magika	powershell
Reporter	abuse_ch
Tags:	ps1 VIPKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=699586cf2d369b1ab284fcdc

Tags:

ransomware backdoor hype

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 crypt powershell xworm

Link:

https://www.filescan.io/uploads/699586c7cd25bfe1dfd48603/reports/230a2f9b-3a9f-4c95-91ec-9558a9647ec1/overview

Verdict:

Suspicious

Labled as:

PowerShell/Kryptik.LR trojan

Link:

https://www.hybrid-analysis.com/sample/913c3cd8ea89f18055f6c83341936078db76472f8297708e5a0bbf147823a388

Result

Gathering data

Verdict:

Malicious

File Type:

ps1

First seen:

2026-02-09T00:42:00Z UTC

Last seen:

2026-02-09T01:01:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/913c3cd8ea89f18055f6c83341936078db76472f8297708e5a0bbf147823a388/results?tab=lookup

Result

Threat name:

MATRIX Crypter, Snake Keylogger, VIP Key

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1871051

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected MATRIX Crypter

Yara detected Powershell decode and execute

Yara detected Powershell decrypt and execute

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

Behaviour

Behavior Graph:

Download SVG

Score:

88%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/913c3cd8ea89f18055f6c83341936078db76472f8297708e5a0bbf147823a388

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/913c3cd8ea89f18055f6c83341936078db76472f8297708e5a0bbf147823a388/

Verdict:

Malicious

Threat:

Family.VIPKEYLOGGER

Link:

https://tip.neiki.dev/file/913c3cd8ea89f18055f6c83341936078db76472f8297708e5a0bbf147823a388

Threat name:

Script-PowerShell.Trojan.XWorm

Status:

Malicious

First seen:

2026-02-11 19:59:34 UTC

AV detection:

14 of 38 (36.84%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=se6dzwhkrhyyavpwzazude3apdnxmrzpqklxbds2bo7ri6bduoea._file

Verdict:

malicious

Label(s):

vipkeylogger

VIPKeylogger

1d2a2b5e545def1978b91058fe027033b646d1bc1876b219b0963a073141e867

VIPKeylogger

5d02937446d2031b8d6f28d4dab29da62a1358864bca30cb1ebb3355478d3140

VIPKeylogger

7db983607b14ea67a3d656542e033ba69fdbd3a4bcb7bea0251205d219ab71bd

VIPKeylogger

8ece82ad36ddad1e13a955098ea9629364950ed21a1155d7be4921208e62eb0c

VIPKeylogger

d6255b39e2be431e6226c8414b75721a16c114960f8a87acc06ea9fa7563006f

VIPKeylogger

error

VIPKeylogger

faa236eaf11ddab3abe7dcc8c69613d89edf60da47060bf6dc881fa9e118cd9e

VIPKeylogger

+ 2'863 additional samples on MalwareBazaar

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery execution keylogger stealer

Link:

https://tria.ge/reports/260218-lgthaae16c/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

VIPKeylogger

Vipkeylogger family

Malware Config

C2 Extraction:

https://api.telegram.org/bot8099843793:AAGeYKMLti1IpyT9o6bz7OtgdXF9md25uXA/sendMessage?chat_id=6337180137

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/913c3cd8ea89f18055f6c83341936078db76472f8297708e5a0bbf147823a388

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	detect_powershell Create hunting rule
Author:	daniyyell
Description:	Detects suspicious PowerShell activity related to malware execution

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

VIPKeylogger

ps1 913c3cd8ea89f18055f6c83341936078db76472f8297708e5a0bbf147823a388

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3779561/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample