Overview

overview

10

Static

static

1

1092817034..._1.jse

windows7-x64

10

1092817034..._1.jse

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    27022025_1123_1092817034_DCTAZ100_2025_23176136_1.tar

  • Size

    311KB

  • Sample

    250227-ng577avye1

  • MD5

    2dc02930d76141dbf5e99f6d9a540424

  • SHA1

    544d643b122aeace30e67e4ad508e68c1c7f5904

  • SHA256

    a8913319d581f7711cb683e5d4fd5e966e11bc641cc3ec2979f1f5f1d79d6fec

  • SHA512

    198bebe472633eb85fd98c32910492b13449c9ac22ea0728206ffec5db2398cf3edc574805c2c657247711bef9598cb6dc3349a36953b918a43581233fb8cc69

  • SSDEEP

    3072:NvJ5HovJ5HovJ5HovJ5H7vJ5HovJ5HovJ5HovJ5H4vJ5HovJ5HovJ5HovJ5HuGn3:n4B

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://3005.filemail.com/api/file/get?filekey=YGeeUqxByC2SUnRwBS5PxBChMdOlgJICDX-dOV3RIbLORoveuNxkFvLqz9DkMXM&skipreg=true&pk_vid=342803d1cc4e3b80174013691680a5ef
exe.dropper

https://3005.filemail.com/api/file/get?filekey=YGeeUqxByC2SUnRwBS5PxBChMdOlgJICDX-dOV3RIbLORoveuNxkFvLqz9DkMXM&skipreg=true&pk_vid=342803d1cc4e3b80174013691680a5ef

Extracted

Family

vipkeylogger

Credentials

Targets

    • Target

      1092817034_DCTAZ100_2025_23176136_1.jse

    • Size

      309KB

    • MD5

      d97ac5a9ac461d2137606480b79db1c4

    • SHA1

      dda801ef5e48dd7510e7cb8380f316d7a7147265

    • SHA256

      98c41f03c8e8c2b2246014f1cb0a49b2b71afc60c0e83ed33e5ad4e783418703

    • SHA512

      283b076b0ca30bee97e1da8d87460bc6668533608c26370325a0273070bce38165ce2be3eb75662eaa85b6176076fc1fc6f15c2970006d2bc817e714c5735638

    • SSDEEP

      3072:5vJ5HovJ5HovJ5HovJ5H7vJ5HovJ5HovJ5HovJ5H4vJ5HovJ5HovJ5HovJ5HuGnG:L4BL

    Score
    10/10
    executionvipkeyloggercollectiondiscoverykeyloggerstealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks