MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b3bca24417a215c0c33a2bf4fd3ffb61bdd5f25c79ada55cce359a5c5c3acaa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 15

Intelligence 15 IOCs YARA 22 File information Comments

SHA256 hash:	0b3bca24417a215c0c33a2bf4fd3ffb61bdd5f25c79ada55cce359a5c5c3acaa
SHA3-384 hash:	7051043c51354776a727ca156af91663f8474c81f7e2daf6d4d90bb18233a134ff7dbfffc6a954800bab6b9b3cf9196a
SHA1 hash:	b0d4db9a2f34b1e679444f6e89890d35c7213f76
MD5 hash:	2a45b21bb07456351db2b3bdcafa83d5
humanhash:	neptune-winter-jupiter-stairway
File name:	SecuriteInfo.com.BackDoor.Himsi.3535.1452
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	252'416 bytes
First seen:	2026-06-05 06:29:10 UTC
Last seen:	2026-06-05 07:48:56 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	3072:D8DTxU7ZsUFLX1OSBsZXYPcNJGdSutY2Oz50ARISFirKoXsP+fKpK:D1fcKGXYPUZmm+rKohyp
TLSH	T18C34289477FC1214F2BF8F79A87454504AB7F427A926D70E1CDA61DC2A32B90EA14B33
TrID	33.1% (.EXE) Win64 Executable (generic) (6522/11/2) 25.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.4% (.ICL) Windows Icons Library (generic) (2059/9) 10.3% (.EXE) OS/2 Executable (generic) (2029/13) 10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

106

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

exe

Verdict:

Malicious activity

Analysis date:

2026-06-05 06:30:56 UTC

Tags:

telegram ip-check evasion stealer unixstealer

Link:

https://app.any.run/tasks/e94e0f4f-c23b-4ebb-808b-54d176258b84

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/69089/

Detection(s):

SecuriteInfo.com.BackDoor.Himsi.3535.1452.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a226cc7f8676ad4d3613ea8

Tags:

virus sage blic

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Creating a window

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Launching the process to change network settings

Searching for synchronization primitives

Creating a file

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm base64 cdb evasive expand fingerprint hacktool infostealer lolbin netsh obfuscated privilege reconnaissance stealer

Link:

https://www.filescan.io/uploads/6a226cc3099ef368af20f89f/reports/9b7a856f-f60d-403f-93b8-59ded04f6207/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/0b3bca24417a215c0c33a2bf4fd3ffb61bdd5f25c79ada55cce359a5c5c3acaa

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-06-04T15:17:00Z UTC

Last seen:

2026-06-05T13:04:00Z UTC

Hits:

~10

Detections:

Trojan-PSW.MSIL.Agent.sb Trojan-GameThief.Win32.Worgtop.f PDM:Trojan.Win32.Generic Trojan.MSIL.Agent.sba Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Agent.sb Trojan-GameThief.MSIL.Worgtop.b HEUR:Trojan-PSW.MSIL.Stealer.gen Worm.MSIL.Agent.sb Trojan.Win32.Agent.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Stealer.sb not-a-virus:PSWTool.MSIL.BroPass.sb

Link:

https://opentip.kaspersky.com/0b3bca24417a215c0c33a2bf4fd3ffb61bdd5f25c79ada55cce359a5c5c3acaa/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5d0e0f4f-05e2-4a14-a561-3a8568d41ad1

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0b3bca24417a215c0c33a2bf4fd3ffb61bdd5f25c79ada55cce359a5c5c3acaa

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0b3bca24417a215c0c33a2bf4fd3ffb61bdd5f25c79ada55cce359a5c5c3acaa/

Verdict:

Malicious

Threat:

Family.ZALUPASTEALER

Link:

https://tip.neiki.dev/file/0b3bca24417a215c0c33a2bf4fd3ffb61bdd5f25c79ada55cce359a5c5c3acaa

Threat name:

ByteCode-MSIL.Trojan.MassLogger

Status:

Malicious

First seen:

2026-05-31 19:20:43 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

26 of 36 (72.22%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bm54ujcbpiqvydbtuk7u7u77wyn52xzfy6nnuvom4nm2lrodvsva._file

Verdict:

malicious

Label(s):

xoriumstealer

Result

Malware family:

xorium_stealer

Score:

10/10

Tags:

family:xorium_stealer collection discovery persistence privilege_escalation spyware stealer

Link:

https://tria.ge/reports/260605-g834kscz7n/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Event Triggered Execution: Netsh Helper DLL

System Network Configuration Discovery: Wi-Fi Discovery

Accesses Microsoft Outlook profiles

Checks installed software on the system

Looks up external IP address via web service

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Detects XoriumStealer payload

Family: XoriumStealer

Unpacked files

SH256 hash:

0b3bca24417a215c0c33a2bf4fd3ffb61bdd5f25c79ada55cce359a5c5c3acaa

MD5 hash:

2a45b21bb07456351db2b3bdcafa83d5

SHA1 hash:

b0d4db9a2f34b1e679444f6e89890d35c7213f76

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/7e97ceca-72dd-45b8-80df-cc9cfb1bb97d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0b3bca24417a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0b3bca24417a215c0c33a2bf4fd3ffb61bdd5f25c79ada55cce359a5c5c3acaa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	detect_Redline_Stealer_V2 Create hunting rule
Author:	Varp0s

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_References_SecTools Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many IR and analysis tools

Rule name:	Lumma_Stealer_Detection Create hunting rule
Author:	ashizZz
Description:	Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:	https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/

Rule name:	Macos_Infostealer_Wallets_8e469ea0 Create hunting rule
Author:	Elastic Security

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	TelegramAPIMalware_PowerShell_EXE Create hunting rule
Author:	@polygonben
Description:	Hunting for pwsh malware using Telegram for C2

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.