MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 acff79166ef231e892ecee81588aff62f756c443d4da85f2ad2f6bdea1c705e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MaskGramStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments

SHA256 hash:	acff79166ef231e892ecee81588aff62f756c443d4da85f2ad2f6bdea1c705e3
SHA3-384 hash:	7c7e6db898f3170022a029261b640b88cc68746fc7d0ffbd1963b1dfc329810accc7bfffd8bfed485b4d0f3ace97fe9c
SHA1 hash:	6ea8036c02b76cca09cabfc94046a241d4d0c9b2
MD5 hash:	3beaa43023ad2ec06bad08b3b8f36dde
humanhash:	lima-hot-hotel-quiet
File name:	MVvd2DP.exe
Download:	download sample
Signature	MaskGramStealer Create hunting rule
File size:	11'813'888 bytes
First seen:	2026-01-09 17:16:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b544070d00013e564a6e7901399d1921 (6 x MaskGramStealer)
ssdeep	196608:lpo8y4ZgbkULP7d3bXl1REkIemSsSOjBfC9/PE2moXCPU69bYulqrU45:lpo/G8kcP7ZzljEkRmSpOM9TficugrUG
TLSH	T136C62367D5D553FCC4C38A4466C702DDB0D0749F86E99A2D3BCB2C03A520D9A4A8AFB7
TrID	56.5% (.EXE) Win64 Executable (generic) (10522/11/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	abuse_ch
Tags:	exe MaskGramStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

wannacry

ID:

File name:

2to1ep.exe

Verdict:

Malicious activity

Analysis date:

2026-01-09 11:23:45 UTC

Tags:

auto metasploit framework python stealer stealc powershell github possible-phishing clickfix clipper diamotrix phishing credentialflusher networm amus anti-evasion xenorat rat miner irc wannacry ransomware xmrig cryptowall purecrypter pyinstaller remcos anydesk rmm-tool azorult loader amadey telegram putty evasion neshta pastebin ammy njrat bladabindi bdaejec backdoor websocket smb discord vidar java quasar jeefo scan smbscan whitesnake xred lumma koistealer koiloader koi remote xworm noescape wiper botnet cobaltstrike formbook

Link:

https://app.any.run/tasks/a0b741af-908c-431c-ae44-8e366f6bd31f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/48395/

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=696138049922425f92ff4c8b

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Connection attempt

Sending a custom TCP request

Behavior that indicates a threat

Sending an HTTP GET request

Query of malicious DNS domain

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug installer-heuristic mingw packed

Link:

https://www.filescan.io/uploads/696137f607ef5fa68e82fb2c/reports/b84e9127-2cd5-4764-aa01-2a326d16ef04/overview

Verdict:

Malicious

Labled as:

Trojan[Packed]/Win64.VMProtect

Link:

https://www.hybrid-analysis.com/sample/acff79166ef231e892ecee81588aff62f756c443d4da85f2ad2f6bdea1c705e3

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-01-09T08:45:00Z UTC

Last seen:

2026-01-09T23:51:00Z UTC

Hits:

~100

Detections:

Trojan-PSW.Win32.Vidar.fwe Trojan-PSW.Vidar.HTTP.C&C PDM:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/acff79166ef231e892ecee81588aff62f756c443d4da85f2ad2f6bdea1c705e3/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/5306c739-cb46-4781-a1a1-8335db152731

Result

Threat name:

MaskGram Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1847503

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Creates a thread in another existing process (thread injection)

Found direct / indirect Syscall (likely to bypass EDR)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Leaks process information

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Suricata IDS alerts for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected MaskGram Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/acff79166ef231e892ecee81588aff62f756c443d4da85f2ad2f6bdea1c705e3

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/3beaa43023ad2ec06bad08b3b8f36dde

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/acff79166ef231e892ecee81588aff62f756c443d4da85f2ad2f6bdea1c705e3/

Verdict:

Malicious

Threat:

Family.SVITSTEALER

Link:

https://tip.neiki.dev/file/acff79166ef231e892ecee81588aff62f756c443d4da85f2ad2f6bdea1c705e3

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2026-01-09 17:16:45 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

10 of 24 (41.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vt7xsfto6iy6rexm52avrcx7ml3vnrcd2tnil4vnf5v55iohaxrq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/260109-vtf76abx7h/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

System Time Discovery

Drops file in Windows directory

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads WinSCP keys stored on the system

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/78a7afa4-db1c-4c0a-99fe-cdfe6e870ab1

Unpacked files

SH256 hash:

acff79166ef231e892ecee81588aff62f756c443d4da85f2ad2f6bdea1c705e3

MD5 hash:

3beaa43023ad2ec06bad08b3b8f36dde

SHA1 hash:

6ea8036c02b76cca09cabfc94046a241d4d0c9b2

Link:

https://www.unpac.me/results/3975c680-e846-4aff-961f-535947df614e/

Malware family:

MaskGramStealer

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/acff79166ef2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.73

Link:

https://yomi.yoroi.company/submissions/acff79166ef231e892ecee81588aff62f756c443d4da85f2ad2f6bdea1c705e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.