MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b8df0ab8e4701b23fbba918727eef9edb4449d7862f0bd3606b90db439f8ed8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 12

Intelligence 12 IOCs YARA 19 File information Comments

SHA256 hash:	9b8df0ab8e4701b23fbba918727eef9edb4449d7862f0bd3606b90db439f8ed8
SHA3-384 hash:	8d249a28afdae1dbe68bdd1b3153628cf8e607f17374b47531c32d3c9c5a6d04232e5f28ddb82d9ce8ec9a98b78c4ec4
SHA1 hash:	7007c36a1ddf2e1d25850d0d87e2bc0e05d75b78
MD5 hash:	dc99c00b1427a9a70d6d6da3368814cd
humanhash:	earth-fix-kentucky-skylark
File name:	9b8df0ab8e4701b23fbba918727eef9edb4449d7862f0bd3606b90db439f8ed8
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	558'592 bytes
First seen:	2025-07-07 15:07:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:pMnbzxyE8zGKQ03DSvJEM0R7svPc7cpdGnsov05RXl1qW:pMnbFyE8zfDUGMQkcgynr05RXiW
TLSH	T168C4F10E68E38482C1AA3F748993C2794D743FEA5873C7D76FE63D8F3421A519913626
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
dhash icon	1a71c0aaaaaa0203 (10 x Formbook, 2 x RemcosRAT, 2 x SnakeKeylogger)
Reporter	adrian__luca
Tags:	exe MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/13219/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=686be333c9eb97473767755e

Tags:

backdoor virus msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Blocking the Windows Defender launch

Stealing user critical data

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/9b8df0ab8e4701b23fbba918727eef9edb4449d7862f0bd3606b90db439f8ed8

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/597a5a35-69eb-47ab-8dc3-50df027c3d09

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9b8df0ab8e4701b23fbba918727eef9edb4449d7862f0bd3606b90db439f8ed8

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable PDB Path PE (Portable Executable) SOS: 0.07 Win 32 Exe x86

Link:

https://app.malva.re/file/dc99c00b1427a9a70d6d6da3368814cd

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9b8df0ab8e4701b23fbba918727eef9edb4449d7862f0bd3606b90db439f8ed8/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2025-06-27 21:56:38 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tog7bk4oi4a3ep53vemhe7xpt3nuisoxqyxqxu3anoinwq47r3ma._file

Result

Malware family:

masslogger

Score:

10/10

Tags:

family:masslogger collection discovery evasion spyware stealer trojan

Link:

https://tria.ge/reports/250707-sh5ehatmx5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

MassLogger

Masslogger family

Modifies Windows Defender DisableAntiSpyware settings

Malware Config

C2 Extraction:

https://api.telegram.org/bot8033877980:AAHqRHGJsyLgcsFbXWn0qH7Pj2TrXmObvDQ/sendMessage?chat_id=7731003424

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6b710bdb-b741-4f9a-bf28-c92f39118307

Unpacked files

SH256 hash:

9b8df0ab8e4701b23fbba918727eef9edb4449d7862f0bd3606b90db439f8ed8

MD5 hash:

dc99c00b1427a9a70d6d6da3368814cd

SHA1 hash:

7007c36a1ddf2e1d25850d0d87e2bc0e05d75b78

Link:

https://www.unpac.me/results/398291a3-58a1-464c-85a6-05c11e4f6799/

SH256 hash:

741b73d728c4b1366090cfa7bf33edfefecdae3c703c4cfc8a7eef7ac99be4c8

MD5 hash:

aff04a6ae0eb4b5784b7fd613b73d328

SHA1 hash:

05fd5a4a973d3e44f5d11195c37758eb23a84337

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/398291a3-58a1-464c-85a6-05c11e4f6799/

Parent samples :

e3b280fc7bd9dc77cf90901553a8d9e103d8ce3eb4fb4f107599a6c9630ff825
f61987f81fadb7d8847d640f0a6ece8fc5a4cef59f54ecc163fd18d5267fb2b2
9b8df0ab8e4701b23fbba918727eef9edb4449d7862f0bd3606b90db439f8ed8
0f22c8a761d26fc6db2f20b2c3070269bf8248eebc03743250da0805ee9a8511

SH256 hash:

ae55a6dd9743aa3c5592add1a7bf2d8e59a3d760a6f91499a28c08a9ae4c2638

MD5 hash:

0d70c6e191123495ac283728bef5a114

SHA1 hash:

c3e1bd6367f40dc6d039449faef36db63838fff3

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/398291a3-58a1-464c-85a6-05c11e4f6799/

SH256 hash:

c74080282f68f9617e70b3b00a7728af7c15895b13cab34588d57ea14757bb79

MD5 hash:

e65ec9a8221b987bae48a5651a8dc747

SHA1 hash:

d46d27e328d3d9affa4b55231c9b3d14b78600d8

Detections:

win_404keylogger_g1

win_masslogger_w0

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

Link:

https://www.unpac.me/results/398291a3-58a1-464c-85a6-05c11e4f6799/

Parent samples :

37deb7d4ba1e81700197730a2f9259414d00c05c9b56400a364c914dc0a44b4a
7553b95daaa8bf122add4c34e160f80ad4438680185b820788b31cba9a66379d
f8c1683dbfc0d40b23f720566b527ea31d96a1e24e605805c1d4646af7fde61c
975de0616a561e423d820a9afdcad4ee7521deb2f192da0e4a220ff1da03f82a
0bfb0b841074e05c24408075a90c89647429199cf37b4970a0e17b49e334c857
9b8df0ab8e4701b23fbba918727eef9edb4449d7862f0bd3606b90db439f8ed8

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9b8df0ab8e4701b23fbba918727eef9edb4449d7862f0bd3606b90db439f8ed8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/13219/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample