MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0395d68f630504f3ed9a54bf720cda71b5d77a63cbe9a8fcdba45fb3f8e0925f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 18


Intelligence 18 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0395d68f630504f3ed9a54bf720cda71b5d77a63cbe9a8fcdba45fb3f8e0925f
SHA3-384 hash: 7ff6e8747c55319bd0668aff49c593d5f067b8434d42712441b2248749659ab1394078c25d1cc2bfc3490216ac9b8b37
SHA1 hash: 9c7ba1aeea089db00aa1649a2a48b56610c7be8e
MD5 hash: 5a238471b8d181a765cfc6fff48d3938
humanhash: hot-floor-august-fish
File name:pub-4c182737706e41d29aee6cc5517f834d.r2.dev_aec.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:274'432 bytes
First seen:2026-05-21 13:32:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'012 x AgentTesla, 19'917 x Formbook, 12'332 x SnakeKeylogger)
ssdeep 3072:qUiUMI3VME4t2uzYsRXlbi/GN/q4eQ6YrsSL6nU10dKQnVb2QfDs0mZY/Vgaifb0:OFQf3aswy1nVb2z9b
Threatray 2'906 similar samples on MalwareBazaar
TLSH T13C44761A2BE8A410E2FF8573D2B25125C6FBB5A346158D3E17D2E80A3E3E540DE16F53
TrID 69.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win64 Executable (generic) (6522/11/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter TomU
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
51
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
VIP
Details
VIP
a communications type, a log recover type, a password, a string XOR key, decrypted strings, and based upon the communication type, one of the following: SMTP settings, FTP settings, or a Telegram URL
Link:
https://research.acce.ciphertechsolutions.com/results/686468f2-73b3-4e44-8d99-db8af483752d/
Malware family:
n/a
ID:
1
File name:
stage1b.exe
Verdict:
Malicious activity
Analysis date:
2026-02-27 00:22:54 UTC
Tags:
evasion snake keylogger telegram spyware stealer
Link:
https://app.any.run/tasks/6a4f9b03-6ea3-4229-b7c9-002a6ff7a4e6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
VIPKeyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/67189/
Detection(s):
Win.Packed.Generickdz-9953541-0
Create hunting rule

Win.Malware.Generic-10008460-0
Create hunting rule

YARA.CAPE_Vipkeylogger.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a0f09bf33e785de369c572c
Tags:
dotnet virus smtp
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Launching a service
Reading critical registry keys
Creating a window
Stealing user critical data
Verdict:
Malicious
Labled as:
IL:Trojan.VIPKeylogger
Link:
https://www.hybrid-analysis.com/sample/0395d68f630504f3ed9a54bf720cda71b5d77a63cbe9a8fcdba45fb3f8e0925f
Verdict:
Malicious
File Type:
exe x32
First seen:
2024-11-16T05:56:00Z UTC
Last seen:
2026-05-22T23:40:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.SnakeLogger.HTTP.C&C Trojan.Win32.Agent.sb Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.Stealer.sb HEUR:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.Agent.sb HEUR:Trojan-PSW.MSIL.Stealer.gen
Link:
https://opentip.kaspersky.com/0395d68f630504f3ed9a54bf720cda71b5d77a63cbe9a8fcdba45fb3f8e0925f/results?tab=lookup
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1e3c53cb-a0a7-4c95-a556-2b66b304a88c
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0395d68f630504f3ed9a54bf720cda71b5d77a63cbe9a8fcdba45fb3f8e0925f
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0395d68f630504f3ed9a54bf720cda71b5d77a63cbe9a8fcdba45fb3f8e0925f/
Verdict:
Malicious
Threat:
Family.SNAKE
Link:
https://tip.neiki.dev/file/0395d68f630504f3ed9a54bf720cda71b5d77a63cbe9a8fcdba45fb3f8e0925f
Threat name:
ByteCode-MSIL.Trojan.MassLogger
Create hunting rule
Status:
Malicious
First seen:
2024-11-16 09:19:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
29 of 36 (80.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aok5nd3daucph3m2ks7xedg2og25o6tdzpu2r7g3urp3h6hasjpq._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
Similar samples:
680c2a3691dc7babcf16daad934a2fe8efabb3214bf36f60825b708c7f736015
MassLogger
96edc0040c2e9b67c002d30f070cedc4be0a83fa48c3ccda7f5ffd4b88b99a09
MassLogger
990e32f2b58b0c11d9998695169ab6a6b0825fc2c4c70d366eb2197360875edc
MassLogger
baccebd3888e8622e858e7a771d985e3eeaf05b6b73d0b67df5bdb710ec65ba5
MassLogger
d313827b50a344b6f5a1adb8392a5be95d65e07d0c58b2e3b91524b33caf5139
MassLogger
dbbe44a73528de0f741edc23e20665e27678fa3a966df5409f3cf4e86c3277ed
MassLogger
+ 2'896 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery keylogger spyware stealer
Link:
https://tria.ge/reports/260521-qtjk3adz6p/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Browser Information Discovery
Program crash
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Family: VIPKeylogger
Unpacked files
SH256 hash:
0395d68f630504f3ed9a54bf720cda71b5d77a63cbe9a8fcdba45fb3f8e0925f
MD5 hash:
5a238471b8d181a765cfc6fff48d3938
SHA1 hash:
9c7ba1aeea089db00aa1649a2a48b56610c7be8e
Detections:
win_404keylogger_g1
Create hunting rule
win_masslogger_w0
Create hunting rule
triage_snakekeylogger_infostealer
Create hunting rule
Link:
https://www.unpac.me/results/4d50b2e2-ee13-43bc-8abb-f417ba4db8f6/
Parent samples :
35789622f4b1e9cb6638acba0fa26ca51e517f34bbac5dc876e3587392dcb6bb
048dee7acb2d6fd7e7e24e4f3d3b825b8277c704c6c71fec66acaa3bff770cfb
9cc0ec6a21bd5a6623933e5d35f40cf3d5f3bc9465c0e848b6b39fe8fe1c7038
65032d50c2a6525b8b9cc9636278a4228bbe65ed478c4cea87e40370b2954c1d
6a331ed125bffc7fcaf61837164bd52bf3f5788fc468f5a74f477df1b8f4f3c9
82453da04a3618eede4ec065f24f8e3e4e0c120072e659a6edf23eb7a7933a84
c9e434249c8233d35e8bb5a03cdd049a100ed54ecb6d1080b25b3aabcc73f2e5
7693bac5a927633eff56819ee7ab55dea7d03c2b25286b335380b2afa053fff5
d6f0f38727c762b36df15c44ef60ca77e766fb4f961634b21f4a2c806c481038
0395d68f630504f3ed9a54bf720cda71b5d77a63cbe9a8fcdba45fb3f8e0925f
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0395d68f6305/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0395d68f630504f3ed9a54bf720cda71b5d77a63cbe9a8fcdba45fb3f8e0925f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:TelegramAPIMalware_PowerShell_EXE
Create hunting rule
Author:@polygonben
Description:Hunting for pwsh malware using Telegram for C2
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:VIPKeyLogger
Create hunting rule
Author:kevoreilly
Description:Detects VIPKeyLogger Keylogger
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security
Rule name:win_dotnet_vb_stealer_rat
Create hunting rule
Author:Arrbat
Description:Detects .NET/VB executables with stealer/RAT capabilities (sockets, HTTP, processes, registry, etc).
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Executable exe 0395d68f630504f3ed9a54bf720cda71b5d77a63cbe9a8fcdba45fb3f8e0925f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/67189/

Comments