MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a120eebc11796c039efb1e6d45ad79505b09527fcfc580ccbd3550c2b4a2382. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 17

Intelligence 17 IOCs YARA 6 File information Comments

SHA256 hash:	3a120eebc11796c039efb1e6d45ad79505b09527fcfc580ccbd3550c2b4a2382
SHA3-384 hash:	600c1f1908f33e628868cb709b2373d95896d3e05be1b42e85fece801c98900e719931a83d955388a5d4c1f2c7070989
SHA1 hash:	64a6c33198605a0b218d64f7ffd980e1bb36165e
MD5 hash:	775db5ef94aad4d35e253ec7477fbd36
humanhash:	fourteen-fourteen-georgia-maine
File name:	SecuriteInfo.com.Win32.MalwareX-gen.11750.19423
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	543'752 bytes
First seen:	2025-08-15 10:14:31 UTC
Last seen:	2025-08-15 11:44:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:UuJSat5pCIMWoNvk+5Bxkhy75tZmczTA6pcszOkR:UAnpCjhb5nMCZjzTbmK
TLSH	T14CC40158366DD803C6A617B01EB1D3BC03B5AECDB801D39ABEF9ADD77DA175412802D2
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.MalwareX-gen.11750.19423

Verdict:

Malicious activity

Analysis date:

2025-08-15 10:16:19 UTC

Tags:

evasion snake keylogger stealer netreactor auto-sch-xml ims-api generic

Link:

https://app.any.run/tasks/d5422cf7-a473-482f-a95b-40efc0f468c1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/21511/

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.11750.19423.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=689f08d448c64d68735c7d59

Tags:

krypt spawn spam msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Stealing user critical data

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 bitmap expired-cert explorer invalid-signature lolbin lolbin msbuild obfuscated packed packed reconnaissance regsvcs rezer0 roboski schtasks signed stego telegram vbc vbnet

Link:

https://www.filescan.io/uploads/689f08dd9ef4d2ff7cfee84a/reports/65799adb-ab5f-4a5f-9f51-3e185c152747/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/3a120eebc11796c039efb1e6d45ad79505b09527fcfc580ccbd3550c2b4a2382

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4fadf3cb-ca35-4069-8b14-0289f8f7b71f

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3a120eebc11796c039efb1e6d45ad79505b09527fcfc580ccbd3550c2b4a2382

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.39 Win 32 Exe x86

Link:

https://app.malva.re/file/775db5ef94aad4d35e253ec7477fbd36

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3a120eebc11796c039efb1e6d45ad79505b09527fcfc580ccbd3550c2b4a2382/

Verdict:

Malicious

Threat:

Family.SNAKE

Link:

https://tip.neiki.dev/file/3a120eebc11796c039efb1e6d45ad79505b09527fcfc580ccbd3550c2b4a2382

Threat name:

Win32.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-08-15 09:05:19 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 23 (82.61%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hija526bc6lmaoppwhtniwwxsuc3bfjh7t6fqdgl2nkqyk2keoba._file

Verdict:

malicious

Label(s):

novastealer

unc_loader_037

Similar samples:

error

MassLogger

Result

Malware family:

masslogger

Score:

10/10

Tags:

family:masslogger collection discovery execution persistence spyware stealer

Link:

https://tria.ge/reports/250815-mbkhvswvds/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

MassLogger

Masslogger family

Malware Config

C2 Extraction:

https://api.telegram.org/bot8249574412:AAEYI1aKTMsQBYXH4o8C5XnXqiv65jV2kC8/sendMessage?chat_id=6488172735

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/5a4a1104-ef63-4a49-9a0e-bac29449e2a9

Unpacked files

SH256 hash:

3a120eebc11796c039efb1e6d45ad79505b09527fcfc580ccbd3550c2b4a2382

MD5 hash:

775db5ef94aad4d35e253ec7477fbd36

SHA1 hash:

64a6c33198605a0b218d64f7ffd980e1bb36165e

Link:

https://www.unpac.me/results/88f3703a-8f85-48b8-91d5-6d760cc00640/

SH256 hash:

e833b4c040a54da76ec316ed0a58bd962c104ecfaf27de4113af7d3e7246a3a9

MD5 hash:

ad7cf108545cde32ec3ee332ce267e83

SHA1 hash:

39aeb72728b1c9e64593766e73435886fdd485b0

Link:

https://www.unpac.me/results/88f3703a-8f85-48b8-91d5-6d760cc00640/

SH256 hash:

570a07324950511469f23acfe90363c18866862a2709567e3e82dff96b36e54e

MD5 hash:

5a94395aed26695cfccf92fc3988541c

SHA1 hash:

60abc87530ee8297234e04b2fba8da4e33bfadf5

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/88f3703a-8f85-48b8-91d5-6d760cc00640/

SH256 hash:

c9405ddf057b051d9d9c9247f07cd8afadd6ba84b85c867af01d50a975cc1fd7

MD5 hash:

b3e77a5cb11517175b2330003fc7cb7f

SHA1 hash:

88c711c54dec56376a7945f935b9548ff01337a2

Detections:

win_404keylogger_g1

win_masslogger_w0

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/88f3703a-8f85-48b8-91d5-6d760cc00640/

Parent samples :

58ea06e2f9f4c8108e1803ca0869805eae62c5f9f0651e6b53e66a0aafb3c349
329bd5c046cbf67eb31dd230e0d888374afbee19d89f333ffbe41494079dbdfd
3052b8ccdf8f2b0e43ff460d0fa79e75fe741fcbb823fce9ba5d7db8203d0c3a
3a120eebc11796c039efb1e6d45ad79505b09527fcfc580ccbd3550c2b4a2382
66513d2b0ca211cd190997156119713b7b8704a49a28fb9a8328749b9dc2cd45
932857e7d796c0ea5002d21a2f6fe9646fc1de0548c2847d6dfe0458dc1398cc
f9c86d1815b169a952352073adc608b0e215e9bfb871cd85e59a76d1152aff14
e054c2fc74e0788e698df9e69fed9d8fe975df61fe699281508e4a097e43c8d2
5240a9ff514c4c31fa548a21ef76f684efb7b62edb0b2db9cc5fbaa00e73b87b
007cd810db2b95805793f8b38d89946479092c54385a4e127bb9dfe5512ade1c

Malware family:

zgRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3a120eebc117/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3a120eebc11796c039efb1e6d45ad79505b09527fcfc580ccbd3550c2b4a2382

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/21511/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample