Analysis of VIPKeyLogger

Hey everyone,

I just added a new sample to my blog https://www.malwarelearn.com/reports/encryptedps1 .

It is an analysis of a powershell script which drops two separate payloads:

  1. A new powershell
  2. an highly obfuscated dll

The secondary powershell file execute the DLL via reflective code loading which in turns uses process hollowing to execute an infostealer hiding inside the .NET compiler.

There is also a separate section on process hollowing https://www.malwarelearn.com/learn/process_hollowing

Any feedback welcome!

reddit.com
u/pygaiwan — 2 months ago