MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a7744ef7ff9df61995edc1cd227d72c4ccbe86764e99f22d38ad9e6d94e9b0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 18

Intelligence 18 IOCs YARA 4 File information Comments

SHA256 hash:	8a7744ef7ff9df61995edc1cd227d72c4ccbe86764e99f22d38ad9e6d94e9b0e
SHA3-384 hash:	12e5e5be6295945a2299de0c99037dddb7783f976390063886b739df666451f7b88776678f86419d68073ae40e1f8118
SHA1 hash:	707799102c2946757b0bb09b01bc91b23a7f7fa7
MD5 hash:	7f2f16ab3a656d81b4e6d7d6fce840c2
humanhash:	jupiter-arkansas-east-indigo
File name:	SecuriteInfo.com.Trojan.PackedNET.3415.9445.28717
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	803'328 bytes
First seen:	2025-09-25 15:41:51 UTC
Last seen:	2025-09-25 16:44:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep	12288:2SgjmMrXWq0ImfwrRPuYHn6G4kzGtX9L04IXvI12OF8py+:VgPWqf1xuG6Gl/I1XFql
Threatray	3'275 similar samples on MalwareBazaar
TLSH	T17E05F11026E9DB06D0B74BB00870D3B1577AAE997522E30E4EE67CEF7C2AB411E15397
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

144

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.PackedNET.3415.9445.28717

Verdict:

Malicious activity

Analysis date:

2025-09-25 15:47:01 UTC

Tags:

evasion snake keylogger telegram stealer ims-api generic

Link:

https://app.any.run/tasks/967dd10d-295a-4f6b-9885-d4d63b16d6bf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

VIPKeyLogger

Link:

https://www.capesandbox.com/analysis/29049/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.3415.9445.28717.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68d562e7cc9425144151ea5f

Tags:

spawn shell virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Creating a process with a hidden window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Stealing user critical data

Adding an exclusion to Microsoft Defender

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/68d56328674d5fd6aa0c9628/reports/f7e99c78-ed63-47ef-b9d1-4740ed175bd9/overview

Verdict:

Malicious

Labled as:

Jalapeno.Generic

Link:

https://www.hybrid-analysis.com/sample/8a7744ef7ff9df61995edc1cd227d72c4ccbe86764e99f22d38ad9e6d94e9b0e

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-25T07:30:00Z UTC

Last seen:

2025-09-25T07:30:00Z UTC

Hits:

~100

Detections:

Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.Stealer.sb Trojan.MSIL.Inject.sb HEUR:Trojan.MSIL.Taskun.gen Trojan.MSIL.Taskun.sb Trojan.MSIL.Crypt.sb HEUR:Trojan-Spy.MSIL.Agent.sb VHO:Trojan-PSW.Win32.Stealer.gen PDM:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/8a7744ef7ff9df61995edc1cd227d72c4ccbe86764e99f22d38ad9e6d94e9b0e/results?tab=lookup

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/af049882-362f-4d17-8558-5e771bdee01d

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8a7744ef7ff9df61995edc1cd227d72c4ccbe86764e99f22d38ad9e6d94e9b0e

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.16 Win 32 Exe x86

Link:

https://app.malva.re/file/7f2f16ab3a656d81b4e6d7d6fce840c2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8a7744ef7ff9df61995edc1cd227d72c4ccbe86764e99f22d38ad9e6d94e9b0e/

Verdict:

Malicious

Threat:

Family.SNAKE

Link:

https://tip.neiki.dev/file/8a7744ef7ff9df61995edc1cd227d72c4ccbe86764e99f22d38ad9e6d94e9b0e

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2025-09-25 09:11:14 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rj3uj3377hpwdgk63qonej6xfrgmx2dhmtuz6iwtrlm6nwkotmha._file

Verdict:

malicious

Label(s):

vipkeylogger

unc_loader_037

MassLogger

4691af5573a42882f8a2814929d7da66de7fb1ed87970957a4fbfb9b40da2c89

MassLogger

4c463b6b2c03f037fdb1f011a547b1c794fd13d9e1174285991adcdef1f59a46

MassLogger

8ece82ad36ddad1e13a955098ea9629364950ed21a1155d7be4921208e62eb0c

MassLogger

error

MassLogger

faa236eaf11ddab3abe7dcc8c69613d89edf60da47060bf6dc881fa9e118cd9e

MassLogger

+ 3'265 additional samples on MalwareBazaar

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery execution keylogger spyware stealer

Link:

https://tria.ge/reports/250925-s56wvacm5s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

VIPKeylogger

Vipkeylogger family

Malware Config

C2 Extraction:

https://api.telegram.org/bot8099843793:AAGeYKMLti1IpyT9o6bz7OtgdXF9md25uXA/sendMessage?chat_id=6337180137

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/83cbf4a6-a859-43d2-8c46-bfa195ebf0ea

Unpacked files

SH256 hash:

8a7744ef7ff9df61995edc1cd227d72c4ccbe86764e99f22d38ad9e6d94e9b0e

MD5 hash:

7f2f16ab3a656d81b4e6d7d6fce840c2

SHA1 hash:

707799102c2946757b0bb09b01bc91b23a7f7fa7

Link:

https://www.unpac.me/results/b2528e33-67f8-4cda-843a-d581d41f3e31/

SH256 hash:

78007b2dfa309c92e038f0e7a56ce9547fd239a14a6e18a4452b462c71adba0d

MD5 hash:

ad8de6128ec14274c2df52d52cb40c92

SHA1 hash:

2fad5f79f51690c61e00954a7643d244ad2d86b0

Detections:

win_404keylogger_g1

win_masslogger_w0

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/b2528e33-67f8-4cda-843a-d581d41f3e31/

Parent samples :

9a94e891e348c3b34f1087fc5bd0f4d54f01f7ac6c6e58ae558d24e25013587b
004dcf9aaffaca3efa1f6e0019e9205f1344cbef12efd1ed8c17ec3a43ecaee0
2366eb1c3c5a10b3782f7d6948cb6a3b43fb20e348bc9d1ac2e4a2e96b13075a
633326457f86d0a12d3ff263f3a2f4f2d8325ef94fe3f20e6d74c3f1e72f6aa6
bd1c7fec482e5cae6c29f196953329ee39b3481542738f0b1395392fb9c3ee52
faa236eaf11ddab3abe7dcc8c69613d89edf60da47060bf6dc881fa9e118cd9e
0d41bec1e1df871d2a73908ea7f03498e78f8f75a65e87a7d863e333e1d4e65f
a2baea783b7929235c15f8b354fdb7a4dc5a251c97a0c3973cedd4eaa6dccf2a
dfff02076554af2576fd4b55b593d4923e19d7a5b0596ca4162c9101bed25691
8a7744ef7ff9df61995edc1cd227d72c4ccbe86764e99f22d38ad9e6d94e9b0e
8f69a8e1be4f5d02c3600b4e41d3f70a60ac7e0d9c7f25b6268f657917c4b749
fcce017a40b3e39526c19007cdfefcd80f1cb4498abddbb552a3eed9ed37832c
cbbec8fcc0e23e23bcdce82ab97533c7b49f0bcac924cf254a2a8d02b9594ac5
dc8856f9b6ef81442715fa7dc861932df7c99bc43e9377d712927bf0ba874357

SH256 hash:

a8f7d808c65983311e712efde21931bc5dc9dda54dbed298e4a0175648c415a7

MD5 hash:

7e5f1af96c98c1fc2be2ae42393f8d3b

SHA1 hash:

47fd1c8944283dea20751403ee9d7bdc9be3178a

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/b2528e33-67f8-4cda-843a-d581d41f3e31/

SH256 hash:

cdb8ac92c7a341ee1ead563bf7b48a244d580acfb30704043b6d4b24ea5ccf09

MD5 hash:

07ca79c30cd50df8c68d115eebd52475

SHA1 hash:

a70c058086cd6156059b9947aee5bcd3f75f3336

Link:

https://www.unpac.me/results/b2528e33-67f8-4cda-843a-d581d41f3e31/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8a7744ef7ff9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8a7744ef7ff9df61995edc1cd227d72c4ccbe86764e99f22d38ad9e6d94e9b0e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MassLogger

exe 8a7744ef7ff9df61995edc1cd227d72c4ccbe86764e99f22d38ad9e6d94e9b0e

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3631855/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/29049/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample