MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc9850a2d113f4653d3e20d7d09054240d88a74a2157fd213a6433a489d9b81d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc9850a2d113f4653d3e20d7d09054240d88a74a2157fd213a6433a489d9b81d
SHA3-384 hash: 33b26f969b9c1c880ee933a0c55a594639b1856e5ec29e29cff6fca9604a5e097d594b82855cf93fd52d9bb32282263d
SHA1 hash: ffa673a34542511b8e2990e8db7241cf68cfc484
MD5 hash: 6b3abb72c5e51ea12681d504d6018d71
humanhash: maryland-shade-seven-eighteen
File name:rRFQlines-8553_xlsx.vbs
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:221'604 bytes
First seen:2025-09-25 10:00:10 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:GjoGvwcmlpQLWHYXh+HzVnu7BYdFIebjUAuVnh4c8dEy:GjoQwcmlpuWHLnu7WFIBP8cBy
Threatray 1'470 similar samples on MalwareBazaar
TLSH T11624F6D45FB9FB52368919AB52D284DB3B03B326B70D6A28295C7CC157AE82C34743CD
Magika vba
Reporter FXOLabs
Tags:vbs VIPKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
40
Origin country :
BR BR
Vendor Threat Intelligence
Detection:
VIPKeyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28990/
Detection(s):
SecuriteInfo.com.BAT.Obfus-7.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.BAT.Shell-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d550abcc9425144151e1f0
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 evasive masquerade obfuscated powershell
Link:
https://www.filescan.io/uploads/68d512f074e5a2898992bacb/reports/d64399b8-e405-42f9-9f03-7cdd18853298/overview
Verdict:
Suspicious
Labled as:
BAT/Agent.AZY
Link:
https://www.hybrid-analysis.com/sample/bc9850a2d113f4653d3e20d7d09054240d88a74a2157fd213a6433a489d9b81d
Verdict:
Malicious
File Type:
vbs
First seen:
2025-09-25T00:47:00Z UTC
Last seen:
2025-09-25T00:47:00Z UTC
Hits:
~1000
Detections:
HEUR:Trojan.PowerShell.Tesre.sb HEUR:Trojan.BAT.Tesre.gen Trojan-Downloader.JS.Cryptoload.sb Trojan.PowerShell.AmsiBypass.sb HEUR:Trojan.VBS.SAgent.gen HEUR:Trojan.Script.Generic PDM:Trojan.Win32.Generic Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic Trojan.BAT.Agent.sb
Link:
https://opentip.kaspersky.com/bc9850a2d113f4653d3e20d7d09054240d88a74a2157fd213a6433a489d9b81d/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/bc9850a2d113f4653d3e20d7d09054240d88a74a2157fd213a6433a489d9b81d
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc9850a2d113f4653d3e20d7d09054240d88a74a2157fd213a6433a489d9b81d/
Verdict:
Malicious
Threat:
Family.VIPKEYLOGGER
Link:
https://tip.neiki.dev/file/bc9850a2d113f4653d3e20d7d09054240d88a74a2157fd213a6433a489d9b81d
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-25 03:41:30 UTC
File Type:
Text
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xsmfbiwrcp2gkpj6edl5becueqgyrj2kefl72ij2mqz2jcozxaoq._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
Similar samples:
044d63ab7ef7390e0db6d6809165edaefc81b164e32ccb8f6bc522a746254f3f
VIPKeylogger
252f901a3845e643dece809eb44c4e379814f002310560501592aee538503bd1
VIPKeylogger
31a41ec300e4c59521f0e3dd55191a602e20594eeac4c6c7d3c7022a90691cd2
VIPKeylogger
3f9573841a93c95c4070b90b71ea08be448733d2562f6d0457dd70e0b2093ae0
VIPKeylogger
5c0214f5bd1cfff6cd9d5f23bebe3057d4e50e066e8b49ccd58454da71992c10
VIPKeylogger
7cb744012e8115ee284e962932da78f2445ef2c766569b09f294f33b4d9c0560
VIPKeylogger
851e9edd2f30f5b6b9c0c6d51b26d7ea3b35e97898b83e1faff2c1bd3ba3649f
VIPKeylogger
aecd15cf284e8c4ba6d92a3cc082d27b24465513cdc0deb1c4ccb338ef072619
VIPKeylogger
error
VIPKeylogger
+ 1'460 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger stealer
Link:
https://tria.ge/reports/250925-l151esv1gz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Drops startup file
Badlisted process makes network request
Process spawned unexpected child process
VIPKeylogger
Vipkeylogger family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc9850a2d113f4653d3e20d7d09054240d88a74a2157fd213a6433a489d9b81d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule
Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

VIPKeylogger

Visual Basic Script (vbs) vbs bc9850a2d113f4653d3e20d7d09054240d88a74a2157fd213a6433a489d9b81d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/28990/

Comments