MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 640c7c6ea97dbecc0438cd6d77d4a599e459929f626e2f0b2b4a66dfe1f99b84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



MassLogger


Vendor detections: 16


Intelligence 16 IOCs YARA 23 File information Comments

SHA256 hash: 640c7c6ea97dbecc0438cd6d77d4a599e459929f626e2f0b2b4a66dfe1f99b84
SHA3-384 hash: c30ce6c6ad30c24035903713e845023a4938bb42ec7b301f45439f7c8d5de65db4da2d6ecccf29b9579cf3932633072e
SHA1 hash: d7ce809c5ec1ede0489a3be06beb792d38f89f7f
MD5 hash: 75071e56c67a11e605584e2dd88328b8
humanhash: tennis-alaska-neptune-three
File name:eJpi6ZTmpkYoC3r.exe
Download: download sample
Signature MassLogger
File size:1'056'256 bytes
First seen:2026-06-29 08:23:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'076 x AgentTesla, 20'045 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 24576:qUvJO/blPE3bMN5E7BC5pwqZemfx/HjiTVt1wt4:Ry5P9NeWXem5vjiTz
TLSH T1BF259D9C3111FA8EC8878D72C968DDF4A6102CA6D707D24391E77DABB93D7869F041E2
TrID 70.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win64 Executable (generic) (6522/11/2)
4.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter adrian__luca
Tags:exe MassLogger

Intelligence


File Origin
# of uploads :
1
# of downloads :
162
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
ConfuserEx RoboSki
Details
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-06-29 08:31:58 UTC
Tags:
auto-reg ip-check evasion stealer telegram snake keylogger

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Tags:
agenttesla virus msil sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-22T05:28:00Z UTC
Last seen:
2026-06-29T07:33:00Z UTC
Hits:
~100
Detections:
Trojan.MSIL.Inject.sb Trojan-PSW.Win32.Stelega.sb Trojan-Dropper.Win32.Injector.sb HEUR:Trojan-Spy.MSIL.BPLogger.gen Backdoor.Win32.Androm.sb PDM:Trojan.Win32.Generic Trojan.Win32.Diztakun.sb Trojan.Multi.Agent.sb Trojan.MSIL.Crypt.sb Trojan-Spy.MSIL.BPLogger.sb Trojan-PSW.Win32.Stealer.sb HEUR:Trojan-Spy.MSIL.Agent.sb Trojan.Win32.Agent.sb
Malware family:
Snake Keylogger
Verdict:
Malicious
Verdict:
inconclusive
YARA:
12 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.83 Win 32 Exe x86
Threat name:
Win32.Trojan.AgentTesla
Status:
Malicious
First seen:
2026-06-22 07:23:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
novastealer
Similar samples:
Result
Malware family:
masslogger
Score:
  10/10
Tags:
family:masslogger collection defense_evasion discovery evasion execution persistence spyware stealer trojan
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Family: MassLogger
Modifies Windows Defender DisableAntiSpyware settings
Malware Config
C2 Extraction:
https://api.telegram.org/bot8892355596:AAHtCgmCvqpeFMQc0k90TOzvoWYxw-hvnWY/sendMessage?chat_id=6721127118
Unpacked files
SH256 hash:
640c7c6ea97dbecc0438cd6d77d4a599e459929f626e2f0b2b4a66dfe1f99b84
MD5 hash:
75071e56c67a11e605584e2dd88328b8
SHA1 hash:
d7ce809c5ec1ede0489a3be06beb792d38f89f7f
SH256 hash:
b0eec9778e0e153680a3d7712a89ff90efbf1897c365e3215237644b1a8a1abc
MD5 hash:
97b67c48f44206d1dfc2a941f8adedeb
SHA1 hash:
4b4fc2550598373bf645c7c10ef54ae2fb791454
Detections:
win_404keylogger_g1 win_masslogger_w0 triage_snakekeylogger_infostealer
SH256 hash:
9b7b864b1e026793db7fe15147751249b43d26caeaa90537a9dc4b4cd29c8a35
MD5 hash:
f3f10a350a46d35893c6583dd78e9d16
SHA1 hash:
a8d4eb50dc881e14652e2c339ee341a6cd57b41d
SH256 hash:
4c90e30ef4f273b1bb6fca725026d7327008db677406323ba800fd7efde80461
MD5 hash:
9f18ef89ca547409cfb744702817d504
SHA1 hash:
c2d15b2ef0c996df3c24742a58c13a0dc39607da
Malware family:
PrivateLogger
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_snake_keylogger
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Disable_Defender
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MAL_Envrial_Jan18_1
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:masslogger_gcch
Author:govcert_ch
Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_imphash
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Author:vietdx.mb
Rule name:TelegramAPIMalware_PowerShell_EXE
Author:@polygonben
Description:Hunting for pwsh malware using Telegram for C2
Rule name:telegram_bot_api
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Author:Elastic Security
Rule name:win_dotnet_vb_stealer_rat
Author:Arrbat
Description:Detects .NET/VB executables with stealer/RAT capabilities (sockets, HTTP, processes, registry, etc).
Rule name:win_masslogger_w0
Author:govcert_ch

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Executable exe 640c7c6ea97dbecc0438cd6d77d4a599e459929f626e2f0b2b4a66dfe1f99b84

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments