vipkeylogger | b1e201db81c599050133b5643a89f950d2b6c2eaf0ed44ea985e742c4a162b31 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

PaymentSwiftCopy.js

windows7-x64

8

PaymentSwiftCopy.js

windows10-2004-x64

Sharing

General

Target

b1e201db81c599050133b5643a89f950d2b6c2eaf0ed44ea985e742c4a162b31
Size

21KB
Sample

250325-qn33hszpx4
MD5

bcc41510145dfc2f4e403325abb8a7e4
SHA1

406fd1c15a805f4bd64b5d7813708f8b67c8fa83
SHA256

b1e201db81c599050133b5643a89f950d2b6c2eaf0ed44ea985e742c4a162b31
SHA512

2e111d709914d0f0a15c551d000a0f541c114d2d0afdc2fdb0f0e8d41f82cfcc7734e7e22291d663b5a58299c342ee3c5f625d0a96b4e810ca21c02777ccc5b4
SSDEEP

384:jmummAmummAmmmmmmmmmmmmmmmmkw7Ujw7Ujw7UT1mmmU:jmummAmummAmmmmmmmmmmmmmmmmkw7U9

Score

10^/10

vipkeylogger collection discovery execution keylogger stealer

Static task

static1

Behavioral task

behavioral1

Sample

PaymentSwiftCopy.js

Resource

win7-20241010-en

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

PaymentSwiftCopy.js

Resource

win10v2004-20250314-en

vipkeylogger collection discovery execution keylogger stealer

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot8047024230:AAEOgyfPgNxsX6e5QUEWyOZOAYOzCPtuimk/sendMessage?chat_id=769249322

Targets

- Target
  
  PaymentSwiftCopy.js
- Size
  
  1.3MB
- MD5
  
  410a3c00c23b4af500311ae954d7fae5
- SHA1
  
  44b996b2040ddc20f1cf07c7e070514f856b02c9
- SHA256
  
  c3aa4900a10fcf72db0cce3754e4cb44617229442f01ed0caf18c159ceea7e57
- SHA512
  
  589b6805ca596f85c3cf5ef2365996ae9102ad8460cfd9fc6068df8284e1044002cbf8aa27e327d850f33472f951089d4e8ce43bd5acb0c3a6ff6f31ad9341ce
- SSDEEP
  
  192:To1o1o1o1o1o1o1o1o1o1go1o1o1o1o1o1o1o1o1o1go1o1o1o1o1o1o1o1o1o1L:VplQBOr
Score

10^/10

execution vipkeylogger collection discovery keylogger stealer
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vipkeylogger family
  vipkeylogger
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

© 2018-2025

Terms | Privacy