MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a04210eaf96a610c6b570186e42cdaa70082bfeec187a8d7fbc0ee1a3f937f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MaskGramStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	0a04210eaf96a610c6b570186e42cdaa70082bfeec187a8d7fbc0ee1a3f937f1
SHA3-384 hash:	6169f321a409ae1ad710301e8759124486595cd19100ed7d80f4246344170940f315724823f3eee0b0de0af624079399
SHA1 hash:	196bdb5041896f981a7edcf537d508e06cad4267
MD5 hash:	e878bad845dfbd1c1cd2f7f0512c7756
humanhash:	pennsylvania-friend-pennsylvania-pizza
File name:	file
Download:	download sample
Signature	MaskGramStealer Create hunting rule
File size:	2'153'472 bytes
First seen:	2025-11-30 14:13:42 UTC
Last seen:	2025-11-30 14:21:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	dc6b57a7282f87959d9942f26d5c0b74 (18 x MaskGramStealer)
ssdeep	49152:tEOGPox93cH+K0gmANLHTChBDlfCRCOJLarYYAIAXRJmixIOz:+Ob5JgLN7TOZfoBgYTBJmtOz
TLSH	T1E7A502A94868C8BADE143CB1B1387A9D51D7BEF77CA059E4CEB2754BD0F2C2870CA451
TrID	38.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.6% (.ICL) Windows Icons Library (generic) (2059/9) 15.4% (.EXE) OS/2 Executable (generic) (2029/13) 15.2% (.EXE) Generic Win/DOS Executable (2002/3) 15.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 MaskGramStealer

Bitsight

url: http://178.16.55.189/files/7625197136/yUaXFhT.exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2025-11-30 14:14:54 UTC

Tags:

telegram themida

Link:

https://app.any.run/tasks/6c685caa-9de3-4244-b494-968d36ea2fed

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/41933/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=692c5138c908fdc697470126

Tags:

ransomware virus crypt

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Connection attempt

Sending a custom TCP request

Behavior that indicates a threat

Connection attempt to an infection source

Query of malicious DNS domain

Sending a TCP request to an infection source

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

mingw obfuscated packed packed themidawinlicense

Link:

https://www.filescan.io/uploads/692c51342cd29ea630036f14/reports/6ae67fb5-c96a-4d6f-bf12-09200ce3cdfd/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/0a04210eaf96a610c6b570186e42cdaa70082bfeec187a8d7fbc0ee1a3f937f1

Result

Gathering data

Verdict:

Clean

File Type:

exe x64

Link:

https://opentip.kaspersky.com/0a04210eaf96a610c6b570186e42cdaa70082bfeec187a8d7fbc0ee1a3f937f1/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/67ee32e5-f681-4a1d-ba76-460d27db3634

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0a04210eaf96a610c6b570186e42cdaa70082bfeec187a8d7fbc0ee1a3f937f1

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/e878bad845dfbd1c1cd2f7f0512c7756

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0a04210eaf96a610c6b570186e42cdaa70082bfeec187a8d7fbc0ee1a3f937f1/

Verdict:

Malicious

Threat:

Family.MASKGRAM_STEALER

Link:

https://tip.neiki.dev/file/0a04210eaf96a610c6b570186e42cdaa70082bfeec187a8d7fbc0ee1a3f937f1

Gathering data

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bicccdvps2tbbrvvoamg4qwnvjyaqk765qmhvdl7xqhodi7zg7yq._file

Verdict:

malicious

Label(s):

maskgramstealer

Similar samples:

error

MaskGramStealer

Result

Malware family:

maskgram_stealer

Score:

10/10

Tags:

family:maskgram_stealer defense_evasion stealer themida trojan

Link:

https://tria.ge/reports/251130-rj6taaznej/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Checks whether UAC is enabled

Checks BIOS information in registry

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Detects MaskGramStealer payload

MaskGramStealer

Maskgram_stealer family

Malware Config

C2 Extraction:

puffyclaw2008.shop

Verdict:

Suspicious

Tags:

Suspicious_POST_body

YARA:

n/a

Link:

https://app.threat.zone/submission/8600eef8-1f46-42d7-9749-aa268bcb77ea

Unpacked files

SH256 hash:

0a04210eaf96a610c6b570186e42cdaa70082bfeec187a8d7fbc0ee1a3f937f1

MD5 hash:

e878bad845dfbd1c1cd2f7f0512c7756

SHA1 hash:

196bdb5041896f981a7edcf537d508e06cad4267

Link:

https://www.unpac.me/results/0e0a3733-cf45-4197-b7dc-5388b6cf5c23/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0a04210eaf96/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.