MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 574a4e7a5f2cc7b755da86c4233e08c05f244c722deba53df766bcd96cfd1311. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 16

Intelligence 16 IOCs YARA 24 File information Comments

SHA256 hash:	574a4e7a5f2cc7b755da86c4233e08c05f244c722deba53df766bcd96cfd1311
SHA3-384 hash:	ba4d75338eda6f22bf36d777499ea31829d4e85831058e668a8ca3329b6eb542f21c1471feddda21d822f623736eefd5
SHA1 hash:	3f4e444b587d7f9c2a7a36d550412e751af62443
MD5 hash:	a5fdc0e4f4004a5b8c20191c7c3ebcad
humanhash:	colorado-blue-bulldog-island
File name:	574a4e7a5f2cc7b755da86c4233e08c05f244c722deba53df766bcd96cfd1311
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'014'272 bytes
First seen:	2026-06-08 09:42:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (49'066 x AgentTesla, 20'012 x Formbook, 12'352 x SnakeKeylogger)
ssdeep	24576:H66lR0caEJwNftgHNwMv0KUI8HmefwiAfi26CG3AwP:HF0tNfANhsK+7JkMQu
Threatray	2'917 similar samples on MalwareBazaar
TLSH	T1FE25122C650AE607C9912B395FB2F2B4126E0EDDE911D226CFD9BDEFF9B7A041C04152
TrID	73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	exe MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

RoboSki

Details

Link:

https://research.acce.ciphertechsolutions.com/results/56a97f11-94a1-4169-9b50-810562fdc095/

Detection:

VIPKeyLogger

Link:

https://www.capesandbox.com/analysis/69891/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a268f49ae2f98c00a68cb43

Tags:

infosteal shell virus smtp

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a service

Creating a process with a hidden window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypt krypt packed snakestealer

Link:

https://www.filescan.io/uploads/6a268ec13d2a0c6df8e96462/reports/fb93c5ea-ce6e-47dd-b10a-cae8b1626054/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/574a4e7a5f2cc7b755da86c4233e08c05f244c722deba53df766bcd96cfd1311

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-05-14T03:20:00Z UTC

Last seen:

2026-05-28T01:51:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/574a4e7a5f2cc7b755da86c4233e08c05f244c722deba53df766bcd96cfd1311/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/c2fdae3b-a4aa-41f9-a73e-2915581cb11e

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/574a4e7a5f2cc7b755da86c4233e08c05f244c722deba53df766bcd96cfd1311

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/574a4e7a5f2cc7b755da86c4233e08c05f244c722deba53df766bcd96cfd1311/

Threat name:

ByteCode-MSIL.Trojan.Heracles

Status:

Malicious

First seen:

2026-05-14 07:22:00 UTC

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=k5fe46s7ftd3ovo2q3ccgpqiybpsitdsfxv2kppxm26ns3h5cmiq._file

Verdict:

malicious

Label(s):

xworm

vipkeylogger

MassLogger

6a2cefdd2b5810aef5388f4b23392847ae4abe6d4142ea7145e0afd04c00fcab

MassLogger

7db983607b14ea67a3d656542e033ba69fdbd3a4bcb7bea0251205d219ab71bd

MassLogger

82e9f638f4235a110559bbb2e9d83c4f72c23040799c80fde7e9503cfe66aa6e

MassLogger

8ece82ad36ddad1e13a955098ea9629364950ed21a1155d7be4921208e62eb0c

MassLogger

99f8a75fb301a60588d16fc659fda59f2c48cddfd2d3a730cf9a97d98b1b6023

MassLogger

+ 2'907 additional samples on MalwareBazaar

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery execution keylogger spyware stealer

Link:

https://tria.ge/reports/260608-lqafrsbx3p/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

Family: VIPKeylogger

Malware Config

C2 Extraction:

https://api.telegram.org/bot8099843793:AAGeYKMLti1IpyT9o6bz7OtgdXF9md25uXA/sendMessage?chat_id=6337180137

Unpacked files

SH256 hash:

574a4e7a5f2cc7b755da86c4233e08c05f244c722deba53df766bcd96cfd1311

MD5 hash:

a5fdc0e4f4004a5b8c20191c7c3ebcad

SHA1 hash:

3f4e444b587d7f9c2a7a36d550412e751af62443

Link:

https://www.unpac.me/results/2c15bb62-c467-4caf-847b-9c256771d9a3/

SH256 hash:

3c855bbfae22eaccd00cb2947bf2f05fb733a99b4df7a767a7614be4086807e7

MD5 hash:

df945bc1cc642d673d52736f827cf6a4

SHA1 hash:

074684d7341a15208e584b6aa6cd8a6bc7d6cc99

Detections:

win_404keylogger_g1

win_masslogger_w0

triage_snakekeylogger_infostealer

Link:

https://www.unpac.me/results/2c15bb62-c467-4caf-847b-9c256771d9a3/

Parent samples :

6ea116b59ac03c3211143de70e7ed3843d57a39b0c87936e58d1c5c8e17b439b
2b1709a9c749ff0e6bca3643813dd090ac492a20104666259f65939d5e0c40b0
9d5c8e9c41ff08b0a3be489ac1ef0f014f2749ad0e3217af2e0665c514a072fc
e463f87a0c098ff8bcbc4c262e9eddf3dea51148d2ba9d12c64addb21e2ff978
ccbdec866c4dc5272bf35d9e08186c71031cfc63d37e45d96a35d69cdfb5dfe6
3b80f1666e8725435546d010c6f775ec852dd7691618236563e1bed1043da625
733c3e1e510fe841346e63a3728ec2d195951ef1b70992ee1de55e42f353a10c
82e9f638f4235a110559bbb2e9d83c4f72c23040799c80fde7e9503cfe66aa6e
6a2cefdd2b5810aef5388f4b23392847ae4abe6d4142ea7145e0afd04c00fcab
f861e0a3713c68251d0a7bbed32dd0a28244f2fbf261986df942cddbbea4c90e
6eec837ef183484c588803026b979cb724909e5f62923786c771b6a38bda35e9
4c641df2e4ba6ede0916b22008a6bf4e539fd7581c9ebec5f63afec985853d07
574a4e7a5f2cc7b755da86c4233e08c05f244c722deba53df766bcd96cfd1311
a6a4be0c04b60ae7b77928507231bb35bb6c0625b61fc489ac120ee1cfe4ed54

SH256 hash:

fb1dc1f02bd667032e6011e2d00fa0561c31cd35b90524c4e0036c369150679a

MD5 hash:

b71a7399bda5c29f919044032698a196

SHA1 hash:

25a578f9eb66e62472d0ecda72960501e4e39afe

Link:

https://www.unpac.me/results/2c15bb62-c467-4caf-847b-9c256771d9a3/

SH256 hash:

0a253f3af7fcaad33aa86f8d8ed4216517899bc9d584b8248a49d17fafb9d9df

MD5 hash:

5df98574c4b6883b80d7278249e93963

SHA1 hash:

701e971d378a0ce25d12f1a529ef0716dcaf3ded

Link:

https://www.unpac.me/results/2c15bb62-c467-4caf-847b-9c256771d9a3/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/574a4e7a5f2c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/574a4e7a5f2cc7b755da86c4233e08c05f244c722deba53df766bcd96cfd1311

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	TelegramAPIMalware_PowerShell_EXE Create hunting rule
Author:	@polygonben
Description:	Hunting for pwsh malware using Telegram for C2

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	VIPKeyLogger Create hunting rule
Author:	kevoreilly
Description:	Detects VIPKeyLogger Keylogger

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

Rule name:	win_dotnet_vb_stealer_rat Create hunting rule
Author:	Arrbat
Description:	Detects .NET/VB executables with stealer/RAT capabilities (sockets, HTTP, processes, registry, etc).

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/69891/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample