MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddb8f6656936eca3494339a3193ea49d3fef93328b57727bbda16450384ec78c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VIPKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ddb8f6656936eca3494339a3193ea49d3fef93328b57727bbda16450384ec78c
SHA3-384 hash: f2b3e3f7e28fc70f6e6b5f604fa1a5b66a6ad57c7c3f2a37f7052641a5a6dd2b7db4f81ce5b7e1a33f9103f8ecd23b58
SHA1 hash: 3ce55ef7f1f6781620a46d42e6ef1b7e21d78c09
MD5 hash: e582f5201020d76d35703f3bdb4266b0
humanhash: undress-missouri-one-beryllium
File name:APRIL _ORDER (1).vbs
Download: download sample
Signature VIPKeylogger
Create hunting rule
File size:149'170 bytes
First seen:2025-04-08 05:54:02 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:gvGFIX7cBs7t3OHf8do07jnuvyqlh7V9xeSy5Y7qnCpe0cbK:dFIX7cC7t3OHfO7j2L3b4SICvr
Threatray 3'381 similar samples on MalwareBazaar
TLSH T188E32BFDCBE2EC848B53B0F3671C3B2124AD4762DAB56F3EE0D5097E18D1A44A1B15A4
Magika vba
Reporter abuse_ch
Tags:vbs VIPKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/1198/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f4bb33e011fe619facf963
Tags:
obfuscate autorun xtreme sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade obfuscated
Link:
https://www.filescan.io/uploads/67f4ba182d430c849e0c25e4/reports/75b3b535-e1e5-46d0-aae3-2af2fe69ad81/overview
Verdict:
Malicious
Labled as:
GT:VB.Zbot.9
Link:
https://www.hybrid-analysis.com/sample/ddb8f6656936eca3494339a3193ea49d3fef93328b57727bbda16450384ec78c
Result
Threat name:
Batch Injector, Snake Keylogger, VIP Key
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1658921
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Batch Injector
Yara detected Powershell decode and execute
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1658921 Sample: APRIL _ORDER (1).vbs Startdate: 08/04/2025 Architecture: WINDOWS Score: 100 68 reallyfreegeoip.org 2->68 70 api.telegram.org 2->70 72 2 other IPs or domains 2->72 80 Suricata IDS alerts for network traffic 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 90 17 other signatures 2->90 9 wscript.exe 2 2->9         started        13 cmd.exe 2->13         started        15 cmd.exe 1 2->15         started        17 7 other processes 2->17 signatures3 86 Tries to detect the country of the analysis system (by using the IP) 68->86 88 Uses the Telegram API (likely for C&C communication) 70->88 process4 file5 64 C:\Users\user\AppData\...\temp_script.bat, ASCII 9->64 dropped 106 VBScript performs obfuscated calls to suspicious functions 9->106 108 Wscript starts Powershell (via cmd or directly) 9->108 110 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->110 112 Suspicious execution chain found 9->112 19 cmd.exe 1 9->19         started        22 cmd.exe 13->22         started        24 conhost.exe 13->24         started        26 cmd.exe 1 15->26         started        28 conhost.exe 15->28         started        30 cmd.exe 1 17->30         started        32 cmd.exe 1 17->32         started        34 cmd.exe 1 17->34         started        36 11 other processes 17->36 signatures6 process7 signatures8 92 Suspicious powershell command line found 19->92 94 Wscript starts Powershell (via cmd or directly) 19->94 96 Bypasses PowerShell execution policy 19->96 38 cmd.exe 2 19->38         started        41 conhost.exe 19->41         started        43 powershell.exe 22->43         started        45 conhost.exe 22->45         started        47 2 other processes 26->47 49 2 other processes 30->49 51 2 other processes 32->51 53 2 other processes 34->53 55 8 other processes 36->55 process9 signatures10 98 Suspicious powershell command line found 38->98 100 Wscript starts Powershell (via cmd or directly) 38->100 57 powershell.exe 15 19 38->57         started        62 conhost.exe 38->62         started        102 Tries to steal Mail credentials (via file / registry access) 43->102 104 Tries to harvest and steal browser information (history, passwords, etc) 43->104 process11 dnsIp12 74 api.telegram.org 149.154.167.220, 443, 49730, 49743 TELEGRAMRU United Kingdom 57->74 76 checkip.dyndns.com 193.122.6.168, 49720, 49733, 49744 ORACLE-BMC-31898US United States 57->76 78 reallyfreegeoip.org 104.21.96.1, 443, 49721, 49722 CLOUDFLARENETUS United States 57->78 66 C:\Users\user\...\StartupScript_e5f81fb2.cmd, ASCII 57->66 dropped 114 Tries to steal Mail credentials (via file / registry access) 57->114 116 Found suspicious powershell code related to unpacking or dynamic code loading 57->116 file13 signatures14
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ddb8f6656936eca3494339a3193ea49d3fef93328b57727bbda16450384ec78c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ddb8f6656936eca3494339a3193ea49d3fef93328b57727bbda16450384ec78c/
Threat name:
Win32.Infostealer.Zeus
Create hunting rule
Status:
Malicious
First seen:
2025-04-08 03:14:41 UTC
File Type:
Text (VBS)
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3w4pmzljg3wkgskdhgrrspvetu767ezsrnlxe655ufsfaocoy6ga._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
Similar samples:
45058c52a1b3c9a5755be5783f3ceadec45cf9543e8ce0e2ce353f51cfc92a5b
VIPKeylogger
4d4f4dd3dd03d3ff63689d10675978b1e232f7d1429eca28cd3d9525824817eb
VIPKeylogger
804cb8891f2829caf32366e9efbbeedd19eab55288ca94702d1c29ffded6d463
VIPKeylogger
bbd8889db9e01fb8f36aa9cd0b60282b9caa64e80cb53591d3fb52eddde2a88f
VIPKeylogger
error
VIPKeylogger
+ 3'371 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger stealer
Link:
https://tria.ge/reports/250408-gl5znaxrx4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
VIPKeylogger
Vipkeylogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot7985484998:AAFsmCUbj-RbndicWEKPuhEvaDYH47OZGAg/sendMessage?chat_id=5798480986
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ddb8f6656936/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ddb8f6656936eca3494339a3193ea49d3fef93328b57727bbda16450384ec78c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/1198/

Comments