← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - MAAS VIP_Keylogger Campaign
WHITE celestre 2026-03-11 Modified: 2026-04-10
11
IOCs
MEDIUM VOLUME
While surfing through VirusTotal we found an interesting email content persuading the victim to open an attached purchase order which in fact is a RAR file which contained a exe (ÜRÜN ÇİZİMİ VE TEKNİK ÖZELLİKLERİ_xlsx.exe). The .exe file when executed ultimately extracts and executes VIP_Keylogger in memory without touching the disk.
spyware
Indicators of Compromise (11)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 694c313b660123f393332c2f0f7072b5 2026-03-11
FileHash-MD5 d1df5d64c430b79f7e0e382521e96a14 2026-03-11
FileHash-MD5 e7c42f2d0ff38f1b9f51dc5d745418f5 2026-03-11
FileHash-MD5 ea72845a790da66a7870da4da8924eb3 2026-03-11
FileHash-SHA1 079d198a000ae523f12c3c0f23b3697140d96a86 SHA1 of e7c42f2d0ff38f1b9f51dc5d745418f5 2026-03-11
FileHash-SHA1 4fc672fe7dd8272a4f4da6ffc078a91e234f04ee SHA1 of ea72845a790da66a7870da4da8924eb3 2026-03-11
FileHash-SHA256 03ae7b3bdaa1614aee51a35e9426ade258bb30498743467823bd80b19de0ad9b SHA256 of ea72845a790da66a7870da4da8924eb3 2026-03-11
FileHash-SHA256 bba56d9918978e618e27cacf2997e3aeebed5d85bf657daaf0841b89b6cc4cb3 SHA256 of e7c42f2d0ff38f1b9f51dc5d745418f5 2026-03-11
hostname aborters.duckdns.org 2026-03-11
hostname anotherarmy.dns.army 2026-03-11
hostname varders.kozow.com 2026-03-11
References (1)
↗ https://labs.k7computing.com/index.php/maas-vip_keylogger-campaign/