MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bf5825dedd60c59905e0d69ebc53125ef1e1d060d202647792c62cea3bafeb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1bf5825dedd60c59905e0d69ebc53125ef1e1d060d202647792c62cea3bafeb6
SHA3-384 hash: 9c3d33908b3524a4ed516c8556b1e7379514e5d88a69efb43fd1941bfe974de482524406aebfae5de2a6f3c79c4125d3
SHA1 hash: 4fdb9f8afb7d64daa4f959471e54366c3ca4bf92
MD5 hash: eeb45d4a7cb22900d7c2d2ed0fc4bc92
humanhash: hotel-mockingbird-oranges-oscar
File name:1bf5825dedd60c59905e0d69ebc53125ef1e1d060d202647792c62cea3bafeb6
Download: download sample
Signature MassLogger
Create hunting rule
File size:507'904 bytes
First seen:2025-05-09 12:47:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:WgCRx1G9vkiY0ciwqKByoNJBUeuoHf68gbMMM+IDc:hFnx05tUe9Hf68gbp5C
Threatray 3'758 similar samples on MalwareBazaar
TLSH T193B401167359D852C5C61BB05962D1B9137CCECCAC52C30BABE93EAFBCBAB5468043D1
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter adrian__luca
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
309
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1bf5825dedd60c59905e0d69ebc53125ef1e1d060d202647792c62cea3bafeb6
Verdict:
Malicious activity
Analysis date:
2025-05-09 15:42:54 UTC
Tags:
netreactor snake keylogger stealer evasion
Link:
https://app.any.run/tasks/c7305687-f87b-4cea-8826-41687558c8a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681dfac34a59e5a2ce03466b
Tags:
snake virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/681df959c7418694c8a80022/reports/2aa163d3-a370-49c2-8950-80aa1e06b2e2/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/1bf5825dedd60c59905e0d69ebc53125ef1e1d060d202647792c62cea3bafeb6
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7a243c3a-03db-4b92-8321-bd251d8923d4
Result
Threat name:
MSIL Logger, MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1686548
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1686548 Sample: LiVjGnY5Hx.exe Startdate: 10/05/2025 Architecture: WINDOWS Score: 100 46 reallyfreegeoip.org 2->46 48 checkip.dyndns.org 2->48 50 checkip.dyndns.com 2->50 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Sigma detected: Scheduled temp file as task from temp location 2->60 64 10 other signatures 2->64 8 LiVjGnY5Hx.exe 7 2->8         started        12 zYxpPOHzamOKB.exe 5 2->12         started        signatures3 62 Tries to detect the country of the analysis system (by using the IP) 46->62 process4 file5 38 C:\Users\user\AppData\...\zYxpPOHzamOKB.exe, PE32 8->38 dropped 40 C:\...\zYxpPOHzamOKB.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp7459.tmp, XML 8->42 dropped 44 C:\Users\user\AppData\...\LiVjGnY5Hx.exe.log, ASCII 8->44 dropped 66 Uses schtasks.exe or at.exe to add and modify task schedules 8->66 68 Adds a directory exclusion to Windows Defender 8->68 70 Injects a PE file into a foreign processes 8->70 14 powershell.exe 23 8->14         started        17 powershell.exe 23 8->17         started        19 LiVjGnY5Hx.exe 15 2 8->19         started        22 schtasks.exe 1 8->22         started        72 Multi AV Scanner detection for dropped file 12->72 24 zYxpPOHzamOKB.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 74 Loading BitLocker PowerShell Module 14->74 28 conhost.exe 14->28         started        30 WmiPrvSE.exe 14->30         started        32 conhost.exe 17->32         started        52 checkip.dyndns.com 193.122.130.0, 49715, 49717, 80 ORACLE-BMC-31898US United States 19->52 54 reallyfreegeoip.org 104.21.112.1, 443, 49716, 49718 CLOUDFLARENETUS United States 19->54 34 conhost.exe 22->34         started        76 Tries to steal Mail credentials (via file / registry access) 24->76 78 Tries to harvest and steal browser information (history, passwords, etc) 24->78 36 conhost.exe 26->36         started        signatures9 process10
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1bf5825dedd60c59905e0d69ebc53125ef1e1d060d202647792c62cea3bafeb6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1bf5825dedd60c59905e0d69ebc53125ef1e1d060d202647792c62cea3bafeb6/
Threat name:
Win32.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2025-04-17 06:53:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
27 of 37 (72.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dp2yexpn2ygftec6bvu6xrjrexxr4higbuqcmr3zfrrm5i52723a._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
novastealer
Create hunting rule
Similar samples:
03260ed0ef22a3464f72a8e830d5762a789169557137f598c27cdf6de13d2dda
MassLogger
3f21cc31c22b4ad07980033f0d016966da2743d9f65dc5bc592c46c2e028a074
MassLogger
7ac2afbdd0bdfed4481c49171a5c4e814a3ad878b8887fa2594a011620e49b3d
MassLogger
f5c52eda1d72c1acd49b76060beccf510b12e07adb78196222797629eee60ae0
MassLogger
+ 3'748 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger collection discovery execution spyware stealer
Link:
https://tria.ge/reports/250509-p1cwesej6s/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
MassLogger
Masslogger family
Verdict:
Malicious
Tags:
404keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/ebe8b424-5650-47d6-9cd4-5ebd28e8a7a7
Unpacked files
SH256 hash:
1bf5825dedd60c59905e0d69ebc53125ef1e1d060d202647792c62cea3bafeb6
MD5 hash:
eeb45d4a7cb22900d7c2d2ed0fc4bc92
SHA1 hash:
4fdb9f8afb7d64daa4f959471e54366c3ca4bf92
Link:
https://www.unpac.me/results/e8427417-74b4-4e9b-a8d0-774caa4ff834/
SH256 hash:
0289c8776f9b982f35a1e8f200cddae33ac61182d6fcbf2e1565a24a987f338d
MD5 hash:
7e06a88d115bdf4f8e5ce4e8d6c08b81
SHA1 hash:
039201a41d415726e8136a2ea4d4640b1cc05452
Link:
https://www.unpac.me/results/e8427417-74b4-4e9b-a8d0-774caa4ff834/
SH256 hash:
740a48e7748de047f41ae883a8453f6fa366d6abeb42b3f178685dc59049889a
MD5 hash:
82db8e4eafd697b1c50369c07b453220
SHA1 hash:
6a5d4288e6c387c2e8a8801864e797bcd73dd65a
Detections:
win_404keylogger_g1
Create hunting rule
win_masslogger_w0
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/e8427417-74b4-4e9b-a8d0-774caa4ff834/
Parent samples :
8206bbce37a3c2274b0ee6c55462b78221b876e31cad04f98e90a01a78cdcea0
c119709cbf8a5ab87f99ab439787bb2e7c6dfcabd12fa58b30c7c9038f428f05
1bf5825dedd60c59905e0d69ebc53125ef1e1d060d202647792c62cea3bafeb6
110962df85578b3a3d46ff96d15966c0365f885f087ef21928e605fa7aa164cb
SH256 hash:
40d28bd4213f9cb8d1c74c56ed3a17fc7d109d0ae45949817a4630b21db8e604
MD5 hash:
e8633184cd2bee1e3ae1ba159c0a8307
SHA1 hash:
719b159f0a3fa4b5343ae26ae736dd57e5a32246
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e8427417-74b4-4e9b-a8d0-774caa4ff834/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1bf5825dedd60c59905e0d69ebc53125ef1e1d060d202647792c62cea3bafeb6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments