MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00181f3297555dab913f5777fc7823c4882929ee81cb52430d19714b8fa85734. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 16


Intelligence 16 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00181f3297555dab913f5777fc7823c4882929ee81cb52430d19714b8fa85734
SHA3-384 hash: 40a0f4e80a900a1a3b35bce8114ecb267e6fe01dff10620f891795670289d1403cf5bf11418b034a84291658b5178d35
SHA1 hash: 33fedaf23f5bcfb30c35b7dd7af0a7c9a98e4423
MD5 hash: 42d7b10af0014ca355acdfd45230abcf
humanhash: alabama-victor-eleven-jig
File name:H7vvgwMxJG6BXtw.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:806'400 bytes
First seen:2025-06-12 12:30:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:U0xC1VCnRdCaCGCOQNhZyU76SvEGtWl3C:U0xCHerDHQNjy5zGtWl3
Threatray 287 similar samples on MalwareBazaar
TLSH T15A05CF143275D91BD5BB52F29966C23107B7AE89AA65C3CE0CD43CCB39FA7012A43763
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon b070d48646c6cc30 (3 x SnakeKeylogger, 3 x Formbook, 1 x MassLogger)
Reporter lowmal3
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
429
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
H7vvgwMxJG6BXtw.exe
Verdict:
Malicious activity
Analysis date:
2025-06-12 12:32:37 UTC
Tags:
evasion snake keylogger stealer netreactor
Link:
https://app.any.run/tasks/30d72e13-73f4-4389-af65-3e3072f31f6d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/9135/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684aca9c8bd5d68a12e81b31
Tags:
virus shell micro spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Setting a global event handler for the keyboard
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/684ac9a6fd02ed5e05a67866/reports/d46bfb9d-e43d-4a75-8352-76619a1dcc43/overview
Verdict:
Malicious
Labled as:
MSIL/GenKryptik_AGeneric.BFD trojan
Link:
https://www.hybrid-analysis.com/sample/00181f3297555dab913f5777fc7823c4882929ee81cb52430d19714b8fa85734
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/17bcdb8a-ffff-4b1f-8c88-403f32ab84b4
Result
Threat name:
MSIL Logger, MassLogger RAT, PureLog Ste
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1713244
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected PureLog Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1713244 Sample: H7vvgwMxJG6BXtw.exe Startdate: 12/06/2025 Architecture: WINDOWS Score: 100 55 reallyfreegeoip.org 2->55 57 pickandpeel.store 2->57 59 3 other IPs or domains 2->59 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus / Scanner detection for submitted sample 2->73 77 14 other signatures 2->77 8 H7vvgwMxJG6BXtw.exe 7 2->8         started        12 mXEbSqCYxiB.exe 2->12         started        14 svchost.exe 2->14         started        signatures3 75 Tries to detect the country of the analysis system (by using the IP) 55->75 process4 dnsIp5 41 C:\Users\user\AppData\...\mXEbSqCYxiB.exe, PE32 8->41 dropped 43 C:\Users\...\mXEbSqCYxiB.exe:Zone.Identifier, ASCII 8->43 dropped 45 C:\Users\user\AppData\Local\...\tmpDDBA.tmp, XML 8->45 dropped 47 C:\Users\user\...\H7vvgwMxJG6BXtw.exe.log, ASCII 8->47 dropped 79 Uses schtasks.exe or at.exe to add and modify task schedules 8->79 81 Adds a directory exclusion to Windows Defender 8->81 17 H7vvgwMxJG6BXtw.exe 15 29 8->17         started        21 powershell.exe 23 8->21         started        23 powershell.exe 23 8->23         started        25 schtasks.exe 1 8->25         started        83 Antivirus detection for dropped file 12->83 85 Multi AV Scanner detection for dropped file 12->85 87 Contains functionality to register a low level keyboard hook 12->87 27 mXEbSqCYxiB.exe 12->27         started        29 schtasks.exe 12->29         started        61 127.0.0.1 unknown unknown 14->61 file6 signatures7 process8 dnsIp9 49 pickandpeel.store 51.75.150.176, 49714, 49716, 49718 OVHFR France 17->49 51 checkip.dyndns.com 158.101.44.242, 49699, 49702, 49715 ORACLE-BMC-31898US United States 17->51 53 reallyfreegeoip.org 104.21.48.1, 443, 49704, 49705 CLOUDFLARENETUS United States 17->53 63 Loading BitLocker PowerShell Module 21->63 31 conhost.exe 21->31         started        33 WmiPrvSE.exe 21->33         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        65 Tries to steal Mail credentials (via file / registry access) 27->65 67 Tries to harvest and steal browser information (history, passwords, etc) 27->67 39 conhost.exe 29->39         started        signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/00181f3297555dab913f5777fc7823c4882929ee81cb52430d19714b8fa85734
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00181f3297555dab913f5777fc7823c4882929ee81cb52430d19714b8fa85734/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-06-12 08:33:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
29 of 38 (76.32%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aamb6muxkvo2xej7k537y6bdysecskpoqhfveqyndfyuxd5ik42a._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
novastealer
Create hunting rule
Similar samples:
14a132704212b592f4de974b35a9aa64ded02dceb9589624fe86b332dd531f05
MassLogger
16fc60f543f67f8b5e50902fa78efd66ae2c3b16212dad6a07c0d467a28e27e8
MassLogger
4a8436b32c7ab7bf4942224b5728168e4686f082529831799f358ab54d87f328
MassLogger
e509de8891799bcfa046e6bc48c4f5e9b11473ad0e5e61d0e895065776669388
MassLogger
error
MassLogger
+ 277 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger collection discovery execution spyware stealer
Link:
https://tria.ge/reports/250612-przc3avlw4/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
MassLogger
Masslogger family
Verdict:
Malicious
Tags:
404keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/b0d744a2-bc2a-4171-8294-81cde320ab7b
Unpacked files
SH256 hash:
00181f3297555dab913f5777fc7823c4882929ee81cb52430d19714b8fa85734
MD5 hash:
42d7b10af0014ca355acdfd45230abcf
SHA1 hash:
33fedaf23f5bcfb30c35b7dd7af0a7c9a98e4423
Link:
https://www.unpac.me/results/42e1f275-9fe8-44f7-a85e-97c7b6ab3ddd/
SH256 hash:
70e18f737765fd153862e4e62fc239b3c083272548af1acf546fb56737259deb
MD5 hash:
286cd3cb241dd1e1b12e65250fb5c05e
SHA1 hash:
162e20a40f9c7f34a156a8936d72510d553296f1
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/42e1f275-9fe8-44f7-a85e-97c7b6ab3ddd/
SH256 hash:
0bb23bb5e59fea2f08bebdba624e75764dec676f8664ada6d88e609b6628c362
MD5 hash:
92d863bdbea6a189f3a57f57ed4e9d70
SHA1 hash:
2dbb998f7765b5438db5f0f5c0400549494029bd
Detections:
win_404keylogger_g1
Create hunting rule
win_masslogger_w0
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/42e1f275-9fe8-44f7-a85e-97c7b6ab3ddd/
SH256 hash:
96e9950cf67974cb77800bfde13101e99a4e42f3cb9d72c3bc23231d84556f43
MD5 hash:
c779c93bc76b82192b8b4e404bc057f3
SHA1 hash:
a66b3d25c0e0fa462bb97091591002a43c89b887
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/42e1f275-9fe8-44f7-a85e-97c7b6ab3ddd/
Parent samples :
b5bdb3730680b32893f9c4d355682be1582689788762469bdb4efdda8376a57b
5e000909af896e406ecd05a8d6a880322356ac3deb01da1f964a0bb0b225398f
47da5cfdca2ebc32d9406385b91fd6bf343bfdfb899e7ecb76dbfe6632735ada
00181f3297555dab913f5777fc7823c4882929ee81cb52430d19714b8fa85734
ce161a633b539864473065ef127ba76ce9c2202aaee184dbbee5968563462a74
156ffbc1adf860198501bf76e6428debdfa847e13e73796ee9bad6e982bf94d4
b7ca5eee2c0af78525e33094a2c1d38f639824b8f051a50216dc47417f426bba
07b152394aab317e08fc56aa9fd33236cc8ea7a71d58ab9d7660ac70ccb495ec
ecca275df0af28dbbd0b0d74c0eaf5b29194cb5293f1ccdd2ba87f203481852a
5f811f675d487ef9d0cd10ba5f095edadcb38eeeedaa5ec897b3994b954d3212
b72fd1024afa07ad46cd25049ae1ef5e7311b1b2bae35f769263332cf2e7d17d
61c3caec2a3c95494495549b3b538ddbbc3240eb794a57ac759ce4164b880734
Malware family:
zgRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/00181f329755/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:growtopia
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked growtopia stealer malware samples.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Executable exe 00181f3297555dab913f5777fc7823c4882929ee81cb52430d19714b8fa85734

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/9135/

Comments