MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 9ed10038d2b1b7f16aa554d6d142f934512e6a875567669ea947a5e5cddb8ecd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
MassLogger
Vendor detections: 15
| SHA256 hash: | 9ed10038d2b1b7f16aa554d6d142f934512e6a875567669ea947a5e5cddb8ecd |
|---|---|
| SHA3-384 hash: | fbbe956dfd1b29db3204a8fff5d9e520d72f75e31f60c2c4db4956d2d44a914bac3a3f3f316f8e3c115141132c67f944 |
| SHA1 hash: | e025694a8b801f96496a7597303e8eacfa397e33 |
| MD5 hash: | 0f6c05e26d347d885c34c68a3f340715 |
| humanhash: | gee-beer-hamper-xray |
| File name: | 9ed10038d2b1b7f16aa554d6d142f934512e6a875567669ea947a5e5cddb8ecd |
| Download: | download sample |
| Signature | MassLogger |
| File size: | 1'102'336 bytes |
| First seen: | 2025-07-07 14:46:54 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 0b768923437678ce375719e30b21693e (143 x Formbook, 25 x MassLogger, 22 x SnakeKeylogger) |
| ssdeep | 24576:H5EmXFtKaL4/oFe5T9yyXYfP1ijXda3TlnTKQ/jY:HPVt/LZeJbInQRa3TlTKQ/ |
| Threatray | 3'425 similar samples on MalwareBazaar |
| TLSH | T15935AE0333828022FF9B95774B56F36547BC6E260127A55F13682979FE704B2173EAA3 |
| TrID | 40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3) |
| Magika | pebin |
| dhash icon | f0f0f2b2e834b498 (29 x AgentTesla, 12 x AveMariaRAT, 8 x RedLineStealer) |
| Reporter |  adrian__luca |
| Tags: | exe MassLogger |
Intelligence
File Origin
# of uploads :
1
# of downloads :
20
Origin country :
HUVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ANGEBOT NR. 4520.PDF.gz
Verdict:
Malicious activity
Analysis date:
2025-06-24 22:35:23 UTC
Tags:
arch-exec evasion snake keylogger stealer
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Verdict:
Malicious
Score:
99.9%
Tags:
autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:
Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Launching a process
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Trojan.Generic
Malware family:
Snake Keylogger
Verdict:
Malicious
Score:
100%
Verdict:
Malware
File Type:
PE
Verdict:
Malware
YARA:
7 match(es)
Tags:
AutoIt Decompiled Executable PE (Portable Executable) Suspect Win 32 Exe x86
Threat name:
Win32.Spyware.Negasteal
Status:
Malicious
First seen:
2025-06-24 13:06:32 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
20 of 24 (83.33%)
Threat level:
2/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
novastealer
Similar samples:
+ 3'415 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Score:
10/10
Tags:
family:masslogger collection discovery spyware stealer
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
MassLogger
Masslogger family
Verdict:
Malicious
Tags:
404Keylogger
YARA:
n/a
Unpacked files
SH256 hash:
9ed10038d2b1b7f16aa554d6d142f934512e6a875567669ea947a5e5cddb8ecd
MD5 hash:
0f6c05e26d347d885c34c68a3f340715
SHA1 hash:
e025694a8b801f96496a7597303e8eacfa397e33
SH256 hash:
7f8cdd14d1f3f41b027041ceecde8d6edcbb089d27978a51d8f6a9316740bc0b
MD5 hash:
361e60df259178660661c2f55b1b23fe
SHA1 hash:
852e4430c02cea54007a9748b583c0c2bed9a77b
Detections:
win_404keylogger_g1
win_masslogger_w0
MAL_Envrial_Jan18_1
INDICATOR_SUSPICIOUS_Binary_References_Browsers
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Parent samples :
3bed682a9298367059c63e05f0b565dbad9f5959302f239c00a92eb3aeb16d67
dd09be82abbdebe05d7531fd1113727857b11374801dfcb98019f725651130ca
9626576751f3bb699691a8b760b018914957fe19c7af62067db8b4a4aa69c43c
5a3d534974b9eb9a059ff4296492f2c780062b241ba12268b272d36c1b29d68d
9ed10038d2b1b7f16aa554d6d142f934512e6a875567669ea947a5e5cddb8ecd
dd09be82abbdebe05d7531fd1113727857b11374801dfcb98019f725651130ca
9626576751f3bb699691a8b760b018914957fe19c7af62067db8b4a4aa69c43c
5a3d534974b9eb9a059ff4296492f2c780062b241ba12268b272d36c1b29d68d
9ed10038d2b1b7f16aa554d6d142f934512e6a875567669ea947a5e5cddb8ecd
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | AutoIT_Compiled |
|---|---|
| Author: | @bartblaze |
| Description: | Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious. |
| Rule name: | crime_snake_keylogger |
|---|---|
| Author: | Rony (r0ny_123) |
| Description: | Detects Snake keylogger payload |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DetectEncryptedVariants |
|---|---|
| Author: | Zinyth |
| Description: | Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded |
| Rule name: | golang_bin_JCorn_CSC846 |
|---|---|
| Author: | Justin Cornwell |
| Description: | CSC-846 Golang detection ruleset |
| Rule name: | INDICATOR_SUSPICIOUS_Binary_References_Browsers |
|---|---|
| Author: | ditekSHen |
| Description: | Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_TelegramChatBot |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables using Telegram Chat Bot |
| Rule name: | MAL_Envrial_Jan18_1 |
|---|---|
| Author: | Florian Roth (Nextron Systems) |
| Description: | Detects Encrial credential stealer malware |
| Reference: | https://twitter.com/malwrhunterteam/status/953313514629853184 |
| Rule name: | MAL_Envrial_Jan18_1_RID2D8C |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Encrial credential stealer malware |
| Reference: | https://twitter.com/malwrhunterteam/status/953313514629853184 |
| Rule name: | masslogger_gcch |
|---|---|
| Author: | govcert_ch |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| Rule name: | NETexecutableMicrosoft |
|---|---|
| Author: | malware-lu |
| Rule name: | pe_detect_tls_callbacks |
|---|
| Rule name: | pe_imphash |
|---|
| Rule name: | RANSOMWARE |
|---|---|
| Author: | ToroGuitar |
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | Sus_CMD_Powershell_Usage |
|---|---|
| Author: | XiAnzheng |
| Description: | May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP) |
| Rule name: | Sus_Obf_Enc_Spoof_Hide_PE |
|---|---|
| Author: | XiAnzheng |
| Description: | Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP) |
| Rule name: | telegram_bot_api |
|---|---|
| Author: | rectifyq |
| Description: | Detects file containing Telegram Bot API |
| Rule name: | Windows_Trojan_SnakeKeylogger_af3faa65 |
|---|---|
| Author: | Elastic Security |
| Rule name: | win_masslogger_w0 |
|---|---|
| Author: | govcert_ch |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
| CHECK_NX | Missing Non-Executable Memory Protection | critical |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| AUTH_API | Manipulates User Authorization | ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::CopySid ADVAPI32.dll::FreeSid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::GetAce |
| COM_BASE_API | Can Download & Execute components | ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoCreateInstanceEx ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal |
| MULTIMEDIA_API | Can Play Multimedia | WINMM.dll::mciSendStringW WINMM.dll::timeGetTime WINMM.dll::waveOutSetVolume |
| SECURITY_BASE_API | Uses Security Base API | ADVAPI32.dll::AddAce ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::CheckTokenMembership ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetAclInformation ADVAPI32.dll::GetSecurityDescriptorDacl |
| SHELL_API | Manipulates System Shell | SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW |
| WIN32_PROCESS_API | Can Create Process and Threads | ADVAPI32.dll::CreateProcessAsUserW KERNEL32.dll::CreateProcessW ADVAPI32.dll::CreateProcessWithLogonW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::SetSystemPowerState KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetDriveTypeW |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CopyFileExW KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW IPHLPAPI.DLL::IcmpCreateFile KERNEL32.dll::CreateFileW |
| WIN_BASE_USER_API | Retrieves Account Information | KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LogonUserW ADVAPI32.dll::LookupPrivilegeValueW |
| WIN_NETWORK_API | Supports Windows Networking | MPR.dll::WNetAddConnection2W MPR.dll::WNetUseConnectionW |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegConnectRegistryW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW |
| WIN_USER_API | Performs GUI Actions | USER32.dll::BlockInput USER32.dll::CloseDesktop USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::FindWindowW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.