MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ba170ab165a3a134d7328c275ca25cbabc37eaf2779c8cb04de4b4d9a42d3fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	1ba170ab165a3a134d7328c275ca25cbabc37eaf2779c8cb04de4b4d9a42d3fb
SHA3-384 hash:	50cc9738b1dcdb9096835d21e3bed94f2693f56495b106c38490074ec20164efe1a1500fe86bf10b64dd9e1dd4a8d6f9
SHA1 hash:	c1d713840f3cd522ab6c6443d0ba88e1d6aca386
MD5 hash:	b385d8feb42f90ac07bcbfe81f498b29
humanhash:	alpha-maryland-two-connecticut
File name:	1ba170ab165a3a134d7328c275ca25cbabc37eaf2779c8cb04de4b4d9a42d3fb
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	374'064 bytes
First seen:	2025-09-24 03:34:30 UTC
Last seen:	2025-09-24 12:44:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1f23f452093b5c1ff091a2f9fb4fa3e9 (301 x GuLoader, 46 x RemcosRAT, 46 x VIPKeylogger)
ssdeep	6144:Yp+ggLD7e4S7dAaTyO/+/d6L1OpMbQRCDdwicp1r+VgDqVm8VcR:I8DrS7dAlz/AYMbMCD7SR+QqrVcR
TLSH	T1AC841220B3A4C127D5664A31F876BBB79AF7AD650158570F1F605E8EBC223D1980F2B8
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	c4dadadad2f492c2 (138 x GuLoader, 49 x RemcosRAT, 23 x VIPKeylogger)
Reporter	JAMESWT_WT
Tags:	exe MassLogger signed

Code Signing Certificate

Organisation:	Skrivemaskines
Issuer:	Skrivemaskines
Algorithm:	sha256WithRSAEncryption
Valid from:	2025-09-12T06:41:53Z
Valid to:	2026-09-12T06:41:53Z
Serial number:	234fe055b11ec464b2f16ba14a7157602ce3ec96
Thumbprint Algorithm:	SHA256
Thumbprint:	925ff2a7bdf1453906f69f96661c136f8748e3ec9c9dd0e70e386334367292ba
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

131

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1ba170ab165a3a134d7328c275ca25cbabc37eaf2779c8cb04de4b4d9a42d3fb

Verdict:

Malicious activity

Analysis date:

2025-09-24 03:41:55 UTC

Tags:

evasion snake keylogger stealer smtp

Link:

https://app.any.run/tasks/d5668a5f-b32d-4d6d-8496-9207839947ba

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/28719/

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68d53c90cc9425144151cb44

Tags:

injection virus blic

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Searching for the window

Creating a file in the %AppData% subdirectories

Creating a file

Delayed reading of the file

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-debug anti-vm blackhole guloader installer microsoft_visual_cc nsis overlay signed unsafe

Link:

https://www.filescan.io/uploads/68d36715b4f22678f76365ba/reports/316c76ae-8d5d-4bc6-98ce-c0c5d11ec566/overview

Verdict:

Malicious

Labled as:

Injector.XQFJ

Link:

https://www.hybrid-analysis.com/sample/1ba170ab165a3a134d7328c275ca25cbabc37eaf2779c8cb04de4b4d9a42d3fb

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-23T21:59:00Z UTC

Last seen:

2025-09-23T21:59:00Z UTC

Hits:

~1000

Detections:

Trojan.NSIS.Makoob.sba Packed.NSIS.Krynis.sb HEUR:Trojan.Win32.Guloader.gen VHO:Trojan-Downloader.Win32.Minix.gen Trojan.Win32.GuLoader.sb Trojan.NSIS.Pakes.Krynis.sb Trojan-Downloader.Win32.Minix.sb

Link:

https://opentip.kaspersky.com/1ba170ab165a3a134d7328c275ca25cbabc37eaf2779c8cb04de4b4d9a42d3fb/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/99b78f65-f9d6-4323-83e7-8b4135724484

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1ba170ab165a3a134d7328c275ca25cbabc37eaf2779c8cb04de4b4d9a42d3fb

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/b385d8feb42f90ac07bcbfe81f498b29

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1ba170ab165a3a134d7328c275ca25cbabc37eaf2779c8cb04de4b4d9a42d3fb/

Verdict:

Malicious

Threat:

Family.SNAKE

Link:

https://tip.neiki.dev/file/1ba170ab165a3a134d7328c275ca25cbabc37eaf2779c8cb04de4b4d9a42d3fb

Threat name:

Win32.Trojan.GuLoader

Status:

Malicious

First seen:

2025-09-24 01:25:26 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 38 (63.16%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=doqxbkywli5bgtltfdbhlsrfzov4g7vpe544rsye3zfu3gsc2p5q._file

Result

Malware family:

masslogger

Score:

10/10

Tags:

family:guloader family:masslogger collection discovery downloader spyware stealer

Link:

https://tria.ge/reports/250924-d5p6rsbj91/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Guloader family

Guloader,Cloudeye

MassLogger

Masslogger family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/397739bc-4f96-4faa-b592-152618a36826

Unpacked files

SH256 hash:

1ba170ab165a3a134d7328c275ca25cbabc37eaf2779c8cb04de4b4d9a42d3fb

MD5 hash:

b385d8feb42f90ac07bcbfe81f498b29

SHA1 hash:

c1d713840f3cd522ab6c6443d0ba88e1d6aca386

Link:

https://www.unpac.me/results/bca66ff7-e5ba-49ea-a4b0-aa6cc57c1472/

SH256 hash:

a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

MD5 hash:

75ed96254fbf894e42058062b4b4f0d1

SHA1 hash:

996503f1383b49021eb3427bc28d13b5bbd11977

Link:

https://www.unpac.me/results/bca66ff7-e5ba-49ea-a4b0-aa6cc57c1472/

Malware family:

GuLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1ba170ab165a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.52

Link:

https://yomi.yoroi.company/submissions/1ba170ab165a3a134d7328c275ca25cbabc37eaf2779c8cb04de4b4d9a42d3fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/28719/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample