MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 009391083b79de327fc9b8b66f7ff3dac490adfb18c89727d6298090fc5a0e60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 13


Intelligence 13 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 009391083b79de327fc9b8b66f7ff3dac490adfb18c89727d6298090fc5a0e60
SHA3-384 hash: ac9247d9c5c1cf98fd9fcd484293ff8b1e2dca6c5fa4ff3f5c8b70a17e7524668d0709489e38acb8a819ba42eee69f4d
SHA1 hash: b57e5ac3b18f7a85d68e7b36a0b073775778fb83
MD5 hash: 80fc76ec609e5b4d0bd57518dbfb4211
humanhash: one-maine-illinois-coffee
File name:msedge_elf.dll
Download: download sample
Signature MassLogger
Create hunting rule
File size:3'124'736 bytes
First seen:2025-08-19 06:40:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3dccd54933aa26419bc7340cce758582 (1 x RemcosRAT, 1 x AgentTesla, 1 x MassLogger)
ssdeep 49152:1V8ZV0Zr9btoZQwu+IzYLWGdNkfp1kJ+qxH1/9xSTQGnXzUyuKZiZWuDQrIz1gvT:FrvGIMQEQT
TLSH T10AE5AE15A3E901B9D42BDA78CA558333DA7078865731D24F069DD64A2F33EA08F7F326
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter lowmal3
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
msedge_elf.dll.exe
Verdict:
Malicious activity
Analysis date:
2025-08-19 06:47:49 UTC
Tags:
auto-reg snake keylogger evasion stealer
Link:
https://app.any.run/tasks/4c03ccd5-2b8a-4e55-85e7-54a1120eafd4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22102/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a41c7c8fd55a79c529260d
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context crypto fingerprint lolbin microsoft_visual_cc obfuscated remote
Link:
https://www.filescan.io/uploads/68a41c7ea4bdac9f5b9da750/reports/70c9b9fb-201d-4b23-a2e1-098d02ea4bb4/overview
Verdict:
Malicious
Labled as:
Trojan/Win64.GenKryptik
Link:
https://www.hybrid-analysis.com/sample/009391083b79de327fc9b8b66f7ff3dac490adfb18c89727d6298090fc5a0e60
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a84a0b8b-8498-4564-b791-9da3e89e263d
Result
Threat name:
MSIL Logger, MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1759948
Signature
Allocates memory in foreign processes
Drops PE files with a suspicious file extension
Drops PE files with benign system names
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Sample is not signed and drops a device driver
Sigma detected: Creation of an WerFault.exe in Unusual Folder
Sigma detected: Drops fake bootloader file
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Windows Binaries Write Suspicious Extensions
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1759948 Sample: msedge_elf.dll.exe Startdate: 19/08/2025 Architecture: WINDOWS Score: 100 53 reallyfreegeoip.org 2->53 55 checkip.dyndns.org 2->55 57 2 other IPs or domains 2->57 65 Malicious sample detected (through community Yara rule) 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 Yara detected MSIL Logger 2->69 73 7 other signatures 2->73 8 loaddll64.exe 1 2->8         started        signatures3 71 Tries to detect the country of the analysis system (by using the IP) 53->71 process4 process5 10 rundll32.exe 1001 8->10         started        14 cmd.exe 1 8->14         started        16 rundll32.exe 499 8->16         started        18 32 other processes 8->18 file6 47 918 other files (5 malicious) 10->47 dropped 85 Drops PE files with a suspicious file extension 10->85 87 Writes to foreign memory regions 10->87 89 Allocates memory in foreign processes 10->89 91 Drops PE files with benign system names 10->91 20 rundll32.exe 1001 14->20         started        35 C:\Users\user\...\win32kfull.sys, PE32+ 16->35 dropped 37 C:\Users\user\...\spoolsv.exe, PE32+ 16->37 dropped 39 C:\Users\user\...\format.com, PE32+ 16->39 dropped 49 481 other files (none is malicious) 16->49 dropped 93 Sample is not signed and drops a device driver 16->93 95 Injects a PE file into a foreign processes 16->95 41 C:\Users\user\...\winload.efi, PE32+ 18->41 dropped 43 C:\Users\user\...\wininit.exe, PE32+ 18->43 dropped 45 C:\Users\user\...\win32kns.sys, PE32+ 18->45 dropped 51 1631 other files (12 malicious) 18->51 dropped 24 AddInProcess32.exe 18->24         started        signatures7 process8 dnsIp9 27 C:\Users\user\...\userinit.exe, PE32+ 20->27 dropped 29 C:\Users\user\...\more.com, PE32+ 20->29 dropped 31 C:\Users\user\...\lsass.exe, PE32+ 20->31 dropped 33 911 other files (2 malicious) 20->33 dropped 75 Writes to foreign memory regions 20->75 77 Allocates memory in foreign processes 20->77 79 Injects a PE file into a foreign processes 20->79 59 reallyfreegeoip.org 104.21.96.1, 443, 49727, 49728 CLOUDFLARENETUS United States 24->59 61 checkip.dyndns.com 132.226.8.169, 49692, 49693, 49694 UTMEMUS United States 24->61 63 mail.shimexintl.com 203.83.177.223, 49763, 49764, 49765 CYBERNET-BD-ASGrameenCybernetLtdBangladeshASforloca Bangladesh 24->63 81 Tries to steal Mail credentials (via file / registry access) 24->81 83 Tries to harvest and steal browser information (history, passwords, etc) 24->83 file10 signatures11
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/009391083b79de327fc9b8b66f7ff3dac490adfb18c89727d6298090fc5a0e60
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/009391083b79de327fc9b8b66f7ff3dac490adfb18c89727d6298090fc5a0e60/
Verdict:
Malicious
Threat:
Family.SNAKE
Link:
https://tip.neiki.dev/file/009391083b79de327fc9b8b66f7ff3dac490adfb18c89727d6298090fc5a0e60
Threat name:
Win64.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-08-19 06:40:52 UTC
File Type:
PE+ (Dll)
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=acjzccb3phpde76jxc3g677t3lcjblp3ddejoj6wfgajb7c2bzqa._file
Verdict:
malicious
Label(s):
novastealer
Create hunting rule
Similar samples:
error
MassLogger
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger collection defense_evasion discovery persistence spyware stealer
Link:
https://tria.ge/reports/250819-hfmrka1mv3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Modifies trusted root certificate store through registry
MassLogger
Masslogger family
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f9989aba-6442-40a1-bb30-ee61551b15c3
Unpacked files
SH256 hash:
009391083b79de327fc9b8b66f7ff3dac490adfb18c89727d6298090fc5a0e60
MD5 hash:
80fc76ec609e5b4d0bd57518dbfb4211
SHA1 hash:
b57e5ac3b18f7a85d68e7b36a0b073775778fb83
Link:
https://www.unpac.me/results/552c3d68-ac82-4bb9-9ad0-ac58facc52e6/
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/009391083b79/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/009391083b79de327fc9b8b66f7ff3dac490adfb18c89727d6298090fc5a0e60

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Executable exe 009391083b79de327fc9b8b66f7ff3dac490adfb18c89727d6298090fc5a0e60

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/22102/

Comments