MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fbdfecea78fc2f2094e36112e7cdcd496b9ee47262c8fae1b47999a576f9663. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 13


Intelligence 13 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fbdfecea78fc2f2094e36112e7cdcd496b9ee47262c8fae1b47999a576f9663
SHA3-384 hash: 0f525022e3a7cfd59076fa7c0a8ec846e3c6ecd2e256eef1b02dc86c07f13d1699e1596a81099d5ad75fb5b5746f341b
SHA1 hash: 8589a96f22044ce87bd5a83a6309d41774d12ee1
MD5 hash: 8720ea6230d7496108bd371fc1cd25b5
humanhash: wyoming-edward-pasta-montana
File name:msedge_elf.dll
Download: download sample
Signature MassLogger
Create hunting rule
File size:5'636'608 bytes
First seen:2025-08-21 08:27:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 62514b34b371ccd010664414093c71e5 (1 x MassLogger)
ssdeep 49152:7HIdjGuIY0cj4W6gg2qHAjBiehUVIr251ksTcU2U1Q/tBl2NIA7MJmIIoFEVg3S3:g0sTykU2Fti6IOFh3S9zm8N
TLSH T1DE46AD09D3D904A5D82BD738CA66C333DAB0BE925635D10F099DF6061F779A28B6F321
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter lowmal3
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
msedge_elf.dll
Verdict:
Malicious activity
Analysis date:
2025-08-21 09:19:05 UTC
Tags:
ims-api generic auto-reg snake keylogger evasion stealer
Link:
https://app.any.run/tasks/d4b5ff85-5a36-4000-8c2b-63177dddd5e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22739/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a6d8af8fd55a79c529ad2d
Tags:
emotet
Result
Verdict:
Clean
Maliciousness:
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context crypto fingerprint microsoft_visual_cc obfuscated
Link:
https://www.filescan.io/uploads/68a6d8adabfbaec318274bb5/reports/a12e91e9-c827-4aa9-b8c4-4557b5e3dc3c/overview
Verdict:
Malicious
Labled as:
TrojanSpy/Stealer.qo
Link:
https://www.hybrid-analysis.com/sample/6fbdfecea78fc2f2094e36112e7cdcd496b9ee47262c8fae1b47999a576f9663
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d4511a81-6b37-4356-803c-28bc215977b3
Result
Threat name:
MSIL Logger, MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1761841
Signature
Allocates memory in foreign processes
Drops PE files with a suspicious file extension
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: Creation of an WerFault.exe in Unusual Folder
Sigma detected: Drops fake bootloader file
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Windows Binaries Write Suspicious Extensions
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected MassLogger RAT
Yara detected MSIL Logger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1761841 Sample: msedge_elf.dll.exe Startdate: 21/08/2025 Architecture: WINDOWS Score: 100 55 reallyfreegeoip.org 2->55 57 mail.spherehotkcsa.com 2->57 59 2 other IPs or domains 2->59 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Multi AV Scanner detection for submitted file 2->71 75 7 other signatures 2->75 8 loaddll64.exe 1 2->8         started        signatures3 73 Tries to detect the country of the analysis system (by using the IP) 55->73 process4 process5 10 rundll32.exe 947 8->10         started        14 cmd.exe 1 8->14         started        16 rundll32.exe 556 8->16         started        18 31 other processes 8->18 file6 49 830 other files (3 malicious) 10->49 dropped 87 Drops PE files with a suspicious file extension 10->87 89 Writes to foreign memory regions 10->89 91 Allocates memory in foreign processes 10->91 93 Drops PE files with benign system names 10->93 20 rundll32.exe 794 14->20         started        37 C:\Users\user\...\wer.dll, PE32+ 16->37 dropped 39 C:\Users\user\...\more.com, PE32+ 16->39 dropped 41 C:\Users\user\...\mode.com, PE32+ 16->41 dropped 51 531 other files (none is malicious) 16->51 dropped 95 Injects a PE file into a foreign processes 16->95 43 C:\Users\user\...\winload.efi, PE32+ 18->43 dropped 45 C:\Users\user\...\wininit.exe, PE32+ 18->45 dropped 47 C:\Users\user\...\win32kns.sys, PE32+ 18->47 dropped 53 2016 other files (15 malicious) 18->53 dropped 97 Sample is not signed and drops a device driver 18->97 24 AddInProcess32.exe 18->24         started        26 AddInProcess32.exe 18->26         started        signatures7 process8 dnsIp9 29 C:\Users\user\...\format.com, PE32+ 20->29 dropped 31 C:\Users\user\...\dwm.exe, PE32+ 20->31 dropped 33 C:\Users\user\...\csrss.exe, PE32+ 20->33 dropped 35 714 other files (1 malicious) 20->35 dropped 77 Writes to foreign memory regions 20->77 79 Allocates memory in foreign processes 20->79 81 Injects a PE file into a foreign processes 20->81 83 Tries to steal Mail credentials (via file / registry access) 24->83 85 Tries to harvest and steal browser information (history, passwords, etc) 24->85 61 mail.spherehotkcsa.com 144.76.104.104, 49755, 49756, 49757 HETZNER-ASDE Germany 26->61 63 reallyfreegeoip.org 104.21.64.1, 443, 49725, 49726 CLOUDFLARENETUS United States 26->63 65 checkip.dyndns.com 158.101.44.242, 49690, 49691, 49692 ORACLE-BMC-31898US United States 26->65 file10 signatures11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6fbdfecea78fc2f2094e36112e7cdcd496b9ee47262c8fae1b47999a576f9663
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/8720ea6230d7496108bd371fc1cd25b5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6fbdfecea78fc2f2094e36112e7cdcd496b9ee47262c8fae1b47999a576f9663/
Threat name:
Win64.Trojan.SnakeStealer
Create hunting rule
Status:
Malicious
First seen:
2025-08-21 04:38:01 UTC
File Type:
PE+ (Dll)
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n6675tvhr7bpeckogyis47g42sllt3sheywi7lq3i6mzuv3pszrq._file
Verdict:
malicious
Label(s):
novastealer
Create hunting rule
Similar samples:
error
MassLogger
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger collection discovery persistence spyware stealer
Link:
https://tria.ge/reports/250821-kc8wqs1rs2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
MassLogger
Masslogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot8013697665:AAEaMzK6uhX2nleUdM5_It7J4cyOvNu7W2k/sendMessage?chat_id=8175782960
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/35c6e98a-e9df-457a-8559-10c96be8de16
Unpacked files
SH256 hash:
6fbdfecea78fc2f2094e36112e7cdcd496b9ee47262c8fae1b47999a576f9663
MD5 hash:
8720ea6230d7496108bd371fc1cd25b5
SHA1 hash:
8589a96f22044ce87bd5a83a6309d41774d12ee1
Link:
https://www.unpac.me/results/1353a080-6cf4-4a87-b824-e5cefa82e524/
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6fbdfecea78f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6fbdfecea78fc2f2094e36112e7cdcd496b9ee47262c8fae1b47999a576f9663

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Executable exe 6fbdfecea78fc2f2094e36112e7cdcd496b9ee47262c8fae1b47999a576f9663

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/22739/

Comments