MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab0e1d7e551816ee2e46dfd74c50906118da48af18c6f8d2d91071310cbb7dbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab0e1d7e551816ee2e46dfd74c50906118da48af18c6f8d2d91071310cbb7dbe
SHA3-384 hash: 03a0b32051b87271ae0928b142b61486eed3f91737b2c8a86d573e95b803f0af5ab86c3701bf8a9e4f27512fe5968d53
SHA1 hash: bde5794a1489f5ca45f72a24ec60f99e1de2209c
MD5 hash: af4e68bd96639169c051d6ed091d0a11
humanhash: kitten-mississippi-speaker-yellow
File name:ÜRÜN ÇİZİMİ VE AÇIKLAMASI_docx.pif
Download: download sample
Signature MassLogger
Create hunting rule
File size:729'600 bytes
First seen:2025-08-06 10:58:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:zaDNiDzYmtvVzZA+sisZB+XIY5ckSuw5PEemC9UebQXzXWVmrruDdsgdrAk:GDNiwQ7AfiqBHV5PEeJ9UmEaVmPuhVd
Threatray 4'074 similar samples on MalwareBazaar
TLSH T1DCF4236927AACE21E87D67B50632E3718B7C2D99C402D34A0FDEFDA7F00B6901D51782
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RNZMVEAIKLAMASI_docx.pif.exe
Verdict:
Malicious activity
Analysis date:
2025-08-06 11:04:45 UTC
Tags:
evasion auto-sch-xml snake keylogger telegram stealer ims-api generic
Link:
https://app.any.run/tasks/01c20209-f09a-4fc5-a24c-47f3ee44daf4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/19196/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689335a211d7f9b979e60c69
Tags:
snake micro krypt msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin masquerade packed snakestealer squirrel vbnet
Link:
https://www.filescan.io/uploads/689335a2397fd3ce6f9f100d/reports/d8a1a1b7-a209-4831-a2fe-c2341c56970a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ab0e1d7e551816ee2e46dfd74c50906118da48af18c6f8d2d91071310cbb7dbe
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/56b3221c-8e9b-4d43-ad9c-3c13de2ace4b
Result
Threat name:
MassLogger RAT, Snake Keylogger, VIP Key
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1751256
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1751256 Sample: #U00dcR#U00dcN #U00c7#U0130... Startdate: 06/08/2025 Architecture: WINDOWS Score: 100 52 reallyfreegeoip.org 2->52 54 api.telegram.org 2->54 56 2 other IPs or domains 2->56 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 68 18 other signatures 2->68 8 #U00dcR#U00dcN #U00c7#U0130Z#U0130M#U0130 VE A#U00c7IKLAMASI_docx.pif.exe 7 2->8         started        12 wqyDGmcIvJlN.exe 5 2->12         started        signatures3 64 Tries to detect the country of the analysis system (by using the IP) 52->64 66 Uses the Telegram API (likely for C&C communication) 54->66 process4 file5 38 C:\Users\user\AppData\...\wqyDGmcIvJlN.exe, PE32 8->38 dropped 40 C:\Users\...\wqyDGmcIvJlN.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\Temp\tmp5BA.tmp, XML 8->42 dropped 44 #U00dcR#U00dcN #U0...SI_docx.pif.exe.log, ASCII 8->44 dropped 70 Adds a directory exclusion to Windows Defender 8->70 72 Injects a PE file into a foreign processes 8->72 14 powershell.exe 23 8->14         started        17 #U00dcR#U00dcN #U00c7#U0130Z#U0130M#U0130 VE A#U00c7IKLAMASI_docx.pif.exe 15 2 8->17         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        74 Antivirus detection for dropped file 12->74 76 Multi AV Scanner detection for dropped file 12->76 24 wqyDGmcIvJlN.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 78 Loading BitLocker PowerShell Module 14->78 28 conhost.exe 14->28         started        30 WmiPrvSE.exe 14->30         started        46 checkip.dyndns.com 132.226.247.73, 49684, 49686, 49688 UTMEMUS United States 17->46 48 api.telegram.org 149.154.167.220, 443, 49709, 49718 TELEGRAMRU United Kingdom 17->48 50 reallyfreegeoip.org 104.21.64.1, 443, 49685, 49687 CLOUDFLARENETUS United States 17->50 32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        80 Tries to steal Mail credentials (via file / registry access) 24->80 82 Tries to harvest and steal browser information (history, passwords, etc) 24->82 36 conhost.exe 26->36         started        signatures9 process10
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ab0e1d7e551816ee2e46dfd74c50906118da48af18c6f8d2d91071310cbb7dbe
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) SOS: 0.28 Win 32 Exe x86
Link:
https://app.malva.re/file/af4e68bd96639169c051d6ed091d0a11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab0e1d7e551816ee2e46dfd74c50906118da48af18c6f8d2d91071310cbb7dbe/
Verdict:
Malicious
Threat:
Family.SNAKE
Link:
https://tip.neiki.dev/file/ab0e1d7e551816ee2e46dfd74c50906118da48af18c6f8d2d91071310cbb7dbe
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-08-05 12:26:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vmhb27svdalo4lsg37luyueqmemnusfpdddpruwzcbytcdf3pw7a._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
87839de578611fa6fd31f537bf3107e7b7471ee271dc458372ba6efd962f4056
MassLogger
908ea4e10ff30ea0fb4dd724fdb19e1f9c491b443c90cf0957ed6216ff5d800e
MassLogger
95ea7cad1f5295a05a2084c870724c860063568375f9ac5ea4cfcda022486915
MassLogger
9975b81e9f8b7bf220475765a809c03d9462b60f27a06de2b5d867152aca5dad
MassLogger
ab0e1d7e551816ee2e46dfd74c50906118da48af18c6f8d2d91071310cbb7dbe
MassLogger
error
MassLogger
f1072b6f2cef8a84384f1d3d5f64905640d41be85aa4966cbf6ada530be721ac
MassLogger
+ 4'064 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/250806-m3qh7aylz9/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/04c4162d-6d3c-482c-8364-7a610b37a755
Unpacked files
SH256 hash:
ab0e1d7e551816ee2e46dfd74c50906118da48af18c6f8d2d91071310cbb7dbe
MD5 hash:
af4e68bd96639169c051d6ed091d0a11
SHA1 hash:
bde5794a1489f5ca45f72a24ec60f99e1de2209c
Link:
https://www.unpac.me/results/375bda58-d3e4-4489-a499-f29ec5d1d7de/
SH256 hash:
6231ca045bdb78f90fa4e09e65da692ac4500afff87a00e5772f2a1f3f6b0df5
MD5 hash:
29f1ab351d39eab7ed8eaa2aabc35327
SHA1 hash:
22d8514fc711323c0426c3f5b35c9b37d884c9f3
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/375bda58-d3e4-4489-a499-f29ec5d1d7de/
Parent samples :
95ea7cad1f5295a05a2084c870724c860063568375f9ac5ea4cfcda022486915
0f35ba4092a1137650826b2cd0eff36eeb58a51c09fb1210199948a2b03a48f3
87839de578611fa6fd31f537bf3107e7b7471ee271dc458372ba6efd962f4056
f1072b6f2cef8a84384f1d3d5f64905640d41be85aa4966cbf6ada530be721ac
908ea4e10ff30ea0fb4dd724fdb19e1f9c491b443c90cf0957ed6216ff5d800e
6fd471d3b5a60eb2827287c5b805a12d8e4147c5c2ce85585b3e2748a10e6226
9975b81e9f8b7bf220475765a809c03d9462b60f27a06de2b5d867152aca5dad
abf0f414ebeb55c4ee464be758b9f279cebf0779ff269b7ecfe74267797fd251
ab0e1d7e551816ee2e46dfd74c50906118da48af18c6f8d2d91071310cbb7dbe
e4b64ae324a75568f82dd940c4017726c020051668cbb1832e88f4e806abe4e4
576ac760ec2be7d545c01b834dfa888a824f54fc8d68518a64a198e8c30a29aa
8d472caf596f0d5c7a9d1fc2bfc371f55eca7016ffe249409da702227f60a0a2
7e41a89cc3189d021b07d2c2cdcfbf151f498447e73b3539be37bbfa24586fbe
858a1f71c14ad346a95146debe2df736b00654d971bb884e6932db16404ab973
aace9b82b5a361f9fe0ea0d6d0ea6e141cca7ff9761e0d7a2665fd7752a54ffa
SH256 hash:
8e418ef5d04950ad8acd7ae087fe61651bfea2c85bb0c6ebfe7ae06445dc7459
MD5 hash:
08e37296612545fffe5a8612a4a80a39
SHA1 hash:
25e7acfc2af83bedc107ccc3b80c2924b1a68658
Detections:
win_masslogger_w0
Create hunting rule
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/375bda58-d3e4-4489-a499-f29ec5d1d7de/
Parent samples :
6d5f54e3d4cc2f29b7efb29994828bf0ddf7b91ee44c17134f72947263c43f77
9cc3509d0971ef4d17669266b88c3e7c47e47581b277c5c8e4a59b93ef761c9b
ab0e1d7e551816ee2e46dfd74c50906118da48af18c6f8d2d91071310cbb7dbe
dce659de9fd37d5bb82dd72548c0cc74f2498c740013e2cc5573b1b5be47758b
68dd97817032c05c6123e53bb7e4139e5c2d4895aaa343d4cff5ba2ab7f257b6
a09d6699c8aad5ef8e6cc60745ffa8764da18b41e92e3f02da1f45b70c74d695
SH256 hash:
29c1d9d432f27c35f504d4e5f9102c100c2ad9caa3e65870637b63b40883922d
MD5 hash:
38c0c8f11ab32644ccaba8e855c84b77
SHA1 hash:
bee1f7756cded1de00362007e0cbfa6ac4da706e
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/375bda58-d3e4-4489-a499-f29ec5d1d7de/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ab0e1d7e5518/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab0e1d7e551816ee2e46dfd74c50906118da48af18c6f8d2d91071310cbb7dbe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Executable exe ab0e1d7e551816ee2e46dfd74c50906118da48af18c6f8d2d91071310cbb7dbe

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/19196/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments