MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29cf19f78ffdef551b13138bcb108fb1b8b3752939cc65ea9c36c32d55a25a94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 17

Intelligence 17 IOCs YARA 22 File information Comments

SHA256 hash:	29cf19f78ffdef551b13138bcb108fb1b8b3752939cc65ea9c36c32d55a25a94
SHA3-384 hash:	e89662b19785b81974a275c13ae1bbeb3e8034f38e88433699617db1d7765c9dba077b4bcd9772df56867c7ebe86489a
SHA1 hash:	d19654d90d91e93dc3bf85b8070d352338f4293b
MD5 hash:	d86d80f1895bb23920fe9f23265837d5
humanhash:	saturn-lake-crazy-louisiana
File name:	ERAN_SİPARİŞ_2605_xlsx.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'068'032 bytes
First seen:	2026-05-20 17:28:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	91d07a5e22681e70764519ae943a5883 (144 x Formbook, 35 x AgentTesla, 32 x a310Logger)
ssdeep	12288:0tb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgamXbVwLS3NfYdg+L6A:0tb20pkaCqT5TBWgNQ7amX2kEHL6A
TLSH	T155358B22E39E9261C3737173BAD5A7316E7F782506A1F47B2F97CD38BC20121425A663
TrID	29.5% (.EXE) Win64 Executable (generic) (6522/11/2) 22.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 20.3% (.EXE) Win32 Executable (generic) (4504/4/1) 9.1% (.EXE) OS/2 Executable (generic) (2029/13) 9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	009c9ea28eb2cc44 (3 x MassLogger, 2 x Formbook)
Reporter	TomU
Tags:	exe MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

AutoIt AutoStones VIP

Details

AutoIt

extracted scripts and files

AutoStones

the names of side-loaded components and, if available from processing of a parent file, the deobfuscated components

VIP

a communications type, a log recover type, a password, a string XOR key, decrypted strings, and based upon the communication type, one of the following: SMTP settings, FTP settings, or a Telegram URL

Link:

https://research.acce.ciphertechsolutions.com/results/a805ff89-c18d-42c1-951f-3998c3f3de34/

Malware family:

n/a

ID:

File name:

exe

Verdict:

Malicious activity

Analysis date:

2026-05-20 22:40:12 UTC

Tags:

auto-startup ip-check snake keylogger evasion telegram stealer spyware

Link:

https://app.any.run/tasks/5a07b8fd-eb95-440a-9891-0acb7c636d73

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

VIPKeyLogger

Link:

https://www.capesandbox.com/analysis/66820/

Detection(s):

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a0df9014f2b29ce0401f4b1

Tags:

underscore autorun autoit emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a file

Creating a process from a recently created file

Launching a process

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Stealing user critical data

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug autoit compiled-script findstr fingerprint hacktool keylogger lolbin masquerade microsoft_visual_cc reconnaissance snakestealer

Link:

https://www.filescan.io/uploads/6a0df2b878f38c56ac73f41b/reports/15c9cf8f-a915-4477-a932-52e16903f780/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/29cf19f78ffdef551b13138bcb108fb1b8b3752939cc65ea9c36c32d55a25a94

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-05-26T04:01:00Z UTC

Last seen:

2026-05-19T13:46:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/29cf19f78ffdef551b13138bcb108fb1b8b3752939cc65ea9c36c32d55a25a94/results?tab=lookup

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/430ba47f-8761-4d2b-8b55-305ab82d02f1

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/29cf19f78ffdef551b13138bcb108fb1b8b3752939cc65ea9c36c32d55a25a94

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/29cf19f78ffdef551b13138bcb108fb1b8b3752939cc65ea9c36c32d55a25a94/

Threat name:

Win32.Trojan.AutoitInject

Status:

Malicious

First seen:

2025-05-26 13:02:59 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 36 (63.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fhhrt54p7xxvkgytcof4weepwg4lg5jjhhggl2u4g3bs2vnclkka._file

Verdict:

malicious

Label(s):

vipkeylogger

autoit

unc_loader_036

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery keylogger stealer

Link:

https://tria.ge/reports/260520-v2wmtahy41/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

System Location Discovery: System Language Discovery

AutoIT Executable

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Drops startup file

Executes dropped EXE

Family: VIPKeylogger

Unpacked files

SH256 hash:

29cf19f78ffdef551b13138bcb108fb1b8b3752939cc65ea9c36c32d55a25a94

MD5 hash:

d86d80f1895bb23920fe9f23265837d5

SHA1 hash:

d19654d90d91e93dc3bf85b8070d352338f4293b

Link:

https://www.unpac.me/results/07099dcf-9339-4657-ae5b-7175fa1c59b7/

SH256 hash:

29cf19f78ffdef551b13138bcb108fb1b8b3752939cc65ea9c36c32d55a25a94

MD5 hash:

d86d80f1895bb23920fe9f23265837d5

SHA1 hash:

d19654d90d91e93dc3bf85b8070d352338f4293b

Link:

https://www.unpac.me/results/07099dcf-9339-4657-ae5b-7175fa1c59b7/

SH256 hash:

24dca864141228f451ee382b2bcd47298fd0ec7ae656e780478b4ff679aa6f3f

MD5 hash:

17449cc27fbb76f51f78c4032a86f839

SHA1 hash:

01fe04fcc5250c28bf9fe8e336539a96848b475d

Detections:

win_404keylogger_g1

win_masslogger_w0

triage_snakekeylogger_infostealer

Link:

https://www.unpac.me/results/07099dcf-9339-4657-ae5b-7175fa1c59b7/

Parent samples :

2f5ddc948bb23c9c0798e16b92bc8434922800a11b503643fd7f490a9f16da06
f0ea203238500f03663733e31fea8cebb0d7c72af6d6f3578e1f67c6c532d028
6f8ee5830f1d488f16a500339d4de56479d89a4c2511328bb201014cabd9ad61
fe2f3029c38f9e6797f91c7f560ed013262e9feebbd0cb3850222ab7d46c8c32
147df6d9002c2a3d567f521595f16251f12b7e8d2adecab583a349aa95818736
0a36f604c1dfb7297c21f2b74600caa5df81ae43c9c1824e4a8de425b0dfaede
6fe914c71774d81a9ab4bc2b23a80aaa0f164c4d2d34f441ff95b546a3205afe
3c71dc69770af48af03effe50dbbbd246b8168d7e0fa5211b622759fcb6c0e3e
e91741f5f641f834836a6ce849bbf6563aa14fa4b686b6db3255a5e43c81d8f6
348379e04d8c9defb167f9b86bdabbab2ac4f95ea7ee6b1ea2bed36eafc62c95
54e2bde839e16579f55ca4ebd209bce0dab579ecd90e0c7d7efb85ea31cb357f
29fdb6bb8fa31427adbdadbbfe4aadf63ddea46f356a1382e8d68a1d3dcff8cf
e2528ff769b71dede661504e3af25efaaaa8bbc5983f0ecb5b70dca7451b2a8f
5f6e993861f9f97e0a51d060965c669fe94a00efcf2a03152ea5a53f67cb8756
316e340b6adade7f5a9a3ad9c620d7c9bcf900d08cfcec28e8d3b6dc2b6e5a1e
1c82d7afb5165833d07383fbdfc7daf78a19d527cd84bc24b3dbbc2035582472
ad94f1a913b31ec1412a784e2f5eda3b9e2d4f09f01b1162ec6a7a39516c47d2
131e7a58c7eef929455150072f714c30c3136b950297f6d8dffa6189499d8a73
29cf19f78ffdef551b13138bcb108fb1b8b3752939cc65ea9c36c32d55a25a94

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/29cf19f78ffdef551b13138bcb108fb1b8b3752939cc65ea9c36c32d55a25a94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

Rule name:	YahLover Create hunting rule
Author:	Kevin Falcoz
Description:	YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

exe 29cf19f78ffdef551b13138bcb108fb1b8b3752939cc65ea9c36c32d55a25a94

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/66820/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample