MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1ef70c3770a650879a1e72fcd050deab1528caf6167026a9a6afeff2c8078d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

VIPKeylogger

Vendor detections: 8

Intelligence 8 IOCs YARA 8 File information Comments

SHA256 hash:	a1ef70c3770a650879a1e72fcd050deab1528caf6167026a9a6afeff2c8078d1
SHA3-384 hash:	2caa96c3a1f6717c49a0bf17e25029d16815b887937bedfaf6d76ed6212909a207c79fc4709f160bd1336d14518a4845
SHA1 hash:	8c1b92b3694c2aae2f7159dbe07cbea1c3d2cfdf
MD5 hash:	80b440b1bb383b153821677c08d8c1d3
humanhash:	victor-enemy-pennsylvania-white
File name:	invoice.r15
Download:	download sample
Signature	VIPKeylogger Create hunting rule
File size:	661'500 bytes
First seen:	2025-07-23 09:15:21 UTC
Last seen:	2025-07-23 12:49:21 UTC
File type:	rar
MIME type:	application/x-rar
ssdeep	12288:iLj6YXQPzpIigL8aus1X0mbKfhnsVJVI1F9W45bWDwkcZhSFMklJqN5ThD:iL+YX4aanSMsvVGFEAbXdDSFMklJCFhD
TLSH	T139E423F1AB7EE44D8CA5D8A5B68DBC380044147A46092702B5DF3A5DB88D78D4CEAEF1
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	cocaman
Tags:	INVOICE r15 rar Shipping VIPKeylogger

cocaman

Malicious email (T1566.001)
From: "dayang.akim@cimb.com" (likely spoofed)
Received: "from [77.90.153.108] (unknown [77.90.153.108]) "
Date: "23 Jul 2025 05:44:24 -0700"
Subject: "Re: Shipping Order"
Attachment: "invoice.r15"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	invoice.exe
File size:	708'096 bytes
SHA256 hash:	282c71a915fb16491ac0ca5e5bc43ec8079ebf6db203d880d2b40c6217782807
MD5 hash:	1b643e94f456fc7e0c0915ca0606eba0
MIME type:	application/x-dosexec
Signature	VIPKeylogger

Vendor Threat Intelligence

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6880a83784b37dd61ef0ee0b

Tags:

spawn shell virus

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 bitmap lolbin masquerade msbuild obfuscated packed packed reconnaissance regsvcs rezer0 roboski schtasks stego telegram vbc vbnet

Link:

https://www.filescan.io/uploads/6880a8375076b202e43ee054/reports/dbeaf186-e0d0-4d58-83e1-388d20c8ef4d/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/a1ef70c3770a650879a1e72fcd050deab1528caf6167026a9a6afeff2c8078d1

Verdict:

inconclusive

YARA:

1 match(es)

Tags:

.Net Executable PDB Path PE (Portable Executable) Rar Archive SOS: 0.18

Link:

https://app.malva.re/file/80b440b1bb383b153821677c08d8c1d3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a1ef70c3770a650879a1e72fcd050deab1528caf6167026a9a6afeff2c8078d1/

Verdict:

Malicious

Threat:

ByteCode-MSIL.Trojan.MassLogger

Link:

https://tip.neiki.dev/file/a1ef70c3770a650879a1e72fcd050deab1528caf6167026a9a6afeff2c8078d1

Threat name:

ByteCode-MSIL.Trojan.MassLogger

Status:

Malicious

First seen:

2025-07-23 09:15:24 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

20 of 35 (57.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uhxxbq3xbjsqq6nb44x42bin5kyvfdfpmftqe2u2nl7p6leapdiq._file

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery execution keylogger persistence stealer

Link:

https://tria.ge/reports/250723-mdds4avydy/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

SmartAssembly .NET packer

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Command and Scripting Interpreter: PowerShell

VIPKeylogger

Vipkeylogger family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/a1ef70c3770a650879a1e72fcd050deab1528caf6167026a9a6afeff2c8078d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)