MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a8142df15c72df9981623d8876f1526dcdd79e95dcbec57025a2dfadc372da1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MaskGramStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a8142df15c72df9981623d8876f1526dcdd79e95dcbec57025a2dfadc372da1
SHA3-384 hash: e57c78550c909226a92b57f9eacef16fffce44699488d618dcd7763ea001b89fad5b50f51b598166d2af27d84c092360
SHA1 hash: f35d910fedd6eb156743678c4f9bd9a68b75da5a
MD5 hash: f43a1db5ef50eed77441919c1e43821b
humanhash: magnesium-pennsylvania-romeo-uranus
File name:f43a1db5ef50eed77441919c1e43821b.exe
Download: download sample
Signature MaskGramStealer
Create hunting rule
File size:56'832 bytes
First seen:2025-09-10 07:11:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 59e82f568be780decbf635ea2d441bda (2 x MaskGramStealer)
ssdeep 1536:UKPv7JtoBTFuw/Lno4nSU7A7qsfEvaRA901dfl7O3lwd5dF3H:UKPvhw/LlSU75wECa01ddS3ad5dF
TLSH T16C43026A8B0315BFC449023C497F605CBA64DC46411DE39E6FE6726B063EDB9DEE6032
TrID 63.5% (.EXE) UPX compressed Win64 Executable (70117/5/12)
24.5% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.ICL) Windows Icons Library (generic) (2059/9)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe MaskGramStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
64
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f43a1db5ef50eed77441919c1e43821b.exe
Verdict:
Malicious activity
Analysis date:
2025-09-10 07:31:38 UTC
Tags:
telegram stealer upx
Link:
https://app.any.run/tasks/14aae24d-afc6-4797-876f-05570d8e84a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26646/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c124ba6e66ba602d79c0ee
Tags:
ransomware emotet virus crypt
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packed packer_detected upx
Link:
https://www.filescan.io/uploads/68c12529cfa59bfdc7f7080c/reports/349ad41e-8511-4c6f-883a-011a3b074438/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/9a8142df15c72df9981623d8876f1526dcdd79e95dcbec57025a2dfadc372da1
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-09T10:35:00Z UTC
Last seen:
2025-09-09T10:35:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/9a8142df15c72df9981623d8876f1526dcdd79e95dcbec57025a2dfadc372da1/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/de02e0f6-2cfa-4bf1-8bdd-f2650d94eb0e
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1774509
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Leaks process information
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9a8142df15c72df9981623d8876f1526dcdd79e95dcbec57025a2dfadc372da1
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a8142df15c72df9981623d8876f1526dcdd79e95dcbec57025a2dfadc372da1/
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-09-09 13:54:32 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
25 of 38 (65.79%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tkaufxyvy4w7tgawepmio3yve3on26pjlxf6yvycliw7vxbxfwqq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer upx
Link:
https://tria.ge/reports/250910-h13zaafm3v/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads WinSCP keys stored on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Verdict:
Suspicious
Tags:
Suspicious_POST_body
YARA:
n/a
Link:
https://app.threat.zone/submission/f4a72d21-e82f-4075-b8bd-de05af875e40
Unpacked files
SH256 hash:
9a8142df15c72df9981623d8876f1526dcdd79e95dcbec57025a2dfadc372da1
MD5 hash:
f43a1db5ef50eed77441919c1e43821b
SHA1 hash:
f35d910fedd6eb156743678c4f9bd9a68b75da5a
Link:
https://www.unpac.me/results/93c25f1f-efc2-4d0b-99a1-64b360ac55fd/
SH256 hash:
56471cdcb0e9226f7f7506f40a5b31584b7eca858ea1f26741c4e4bbfeaf051a
MD5 hash:
40b0a0cab87fc86caa7b12c65c8077b7
SHA1 hash:
ef088d56cbe7102a6035db36ef809c7ca0fecf0f
Detections:
ReflectiveLoader
Create hunting rule
Link:
https://www.unpac.me/results/93c25f1f-efc2-4d0b-99a1-64b360ac55fd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9a8142df15c7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.22
Link:
https://yomi.yoroi.company/submissions/9a8142df15c72df9981623d8876f1526dcdd79e95dcbec57025a2dfadc372da1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/26646/

Comments