MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aead3e1cb0db44b9594135a3a395c5d8e510bce1a0f938146df16a67d75a8e68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 19


Intelligence 19 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aead3e1cb0db44b9594135a3a395c5d8e510bce1a0f938146df16a67d75a8e68
SHA3-384 hash: ddaa2d9f69138ec48e1226e0057354c02e102e80e0d20ded05cc237e3de4c4851c2144cf8dffa85f6a20d379e1bf9cbb
SHA1 hash: 4e69ec7cd137d4f868f35c25795464ad5738abcd
MD5 hash: dc98af797491b42155c3def43aef79fd
humanhash: quiet-orange-texas-wyoming
File name:Purchase inquiry.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:765'448 bytes
First seen:2025-09-10 09:04:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:aCd4FvdddddcSxetUZ9zET7AawSlbb0MJ0sE+Wube5ETsYVj1Uos2AkR:a0uQn9vJ0s1zbe6IwS2n
Threatray 306 similar samples on MalwareBazaar
TLSH T1C4F4E02071BCE857E6768BF416B0E2B54BF97E486460C2CA9EC06DCF78B1F805A50797
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter lowmal3
Tags:exe MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase inquiry.exe
Verdict:
Malicious activity
Analysis date:
2025-09-10 09:06:40 UTC
Tags:
snake keylogger evasion stealer ims-api generic
Link:
https://app.any.run/tasks/19528bb9-73ec-411e-93db-966fc87ef464

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26666/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.9774.16979.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c13f2c6e66ba602d79c9f8
Tags:
injection spawn shell spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
invalid-signature masquerade obfuscated packed packed packer_detected signed
Link:
https://www.filescan.io/uploads/68c13f64cfa59bfdc7f733b5/reports/350867d9-7e85-40ec-8dc8-f64b59b9c535/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/aead3e1cb0db44b9594135a3a395c5d8e510bce1a0f938146df16a67d75a8e68
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-10T02:54:00Z UTC
Last seen:
2025-09-10T02:54:00Z UTC
Hits:
~1000
Detections:
VHO:Trojan-PSW.Win32.Stealer.gen Trojan-Spy.MSIL.BPLogger.sb Trojan-PSW.Win32.Stelega.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb PDM:Trojan.Win32.Generic Trojan.MSIL.Taskun.sb HEUR:Trojan.MSIL.Taskun.gen HEUR:Trojan.MSIL.Injector.gen Trojan-PSW.Win32.Stealer.sb HEUR:Trojan.MSIL.Taskun.sb
Link:
https://opentip.kaspersky.com/aead3e1cb0db44b9594135a3a395c5d8e510bce1a0f938146df16a67d75a8e68/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/93072e18-158d-4de6-a85a-a9c11b233e81
Result
Threat name:
MSIL Logger, MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1774581
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1774581 Sample: Purchase inquiry.exe Startdate: 10/09/2025 Architecture: WINDOWS Score: 100 46 reallyfreegeoip.org 2->46 48 cphost14.qhoster.net 2->48 50 2 other IPs or domains 2->50 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Sigma detected: Scheduled temp file as task from temp location 2->62 66 14 other signatures 2->66 8 Purchase inquiry.exe 7 2->8         started        12 xGHicsdmT.exe 5 2->12         started        signatures3 64 Tries to detect the country of the analysis system (by using the IP) 46->64 process4 file5 38 C:\Users\user\AppData\Roaming\xGHicsdmT.exe, PE32 8->38 dropped 40 C:\Users\...\xGHicsdmT.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp8919.tmp, XML 8->42 dropped 44 C:\Users\user\...\Purchase inquiry.exe.log, ASCII 8->44 dropped 68 Adds a directory exclusion to Windows Defender 8->68 14 powershell.exe 23 8->14         started        17 powershell.exe 23 8->17         started        19 Purchase inquiry.exe 15 2 8->19         started        22 schtasks.exe 1 8->22         started        70 Multi AV Scanner detection for dropped file 12->70 24 xGHicsdmT.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 72 Loading BitLocker PowerShell Module 14->72 28 conhost.exe 14->28         started        30 WmiPrvSE.exe 14->30         started        32 conhost.exe 17->32         started        52 checkip.dyndns.com 193.122.6.168, 49685, 49686, 80 ORACLE-BMC-31898US United States 19->52 54 reallyfreegeoip.org 104.21.32.1, 443, 49687, 49688 CLOUDFLARENETUS United States 19->54 34 conhost.exe 22->34         started        56 cphost14.qhoster.net 78.110.166.82, 49693, 49694, 587 UKSERVERS-ASUKDedicatedServersHostingandCo-Location United Kingdom 24->56 74 Tries to steal Mail credentials (via file / registry access) 24->74 76 Tries to harvest and steal browser information (history, passwords, etc) 24->76 36 conhost.exe 26->36         started        signatures9 process10
Score:
81%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aead3e1cb0db44b9594135a3a395c5d8e510bce1a0f938146df16a67d75a8e68
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aead3e1cb0db44b9594135a3a395c5d8e510bce1a0f938146df16a67d75a8e68/
Verdict:
Malicious
Threat:
Family.SNAKE
Link:
https://tip.neiki.dev/file/aead3e1cb0db44b9594135a3a395c5d8e510bce1a0f938146df16a67d75a8e68
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-09-10 09:06:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
38
AV detection:
26 of 38 (68.42%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v2wt4hfq3nclswkbgwr2hfof3dsrbphbud4tqfdn6fvgpv22rzua._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
novastealer
Create hunting rule
Similar samples:
1da6708a65f8dfe0c3359c8aa3fd07387c7aed37af8c66e5a5a0893aab14f547
MassLogger
3829dfb1d833742a7ae87ab22c1aa71fad4253a75d312e73bd066ec90ff1be87
MassLogger
4b6433926539dd1abfd3d7440de161c460fae060093db6982af7a2655c788f92
MassLogger
aead3e1cb0db44b9594135a3a395c5d8e510bce1a0f938146df16a67d75a8e68
MassLogger
eda128c2be30349721286d162089e9bd3d4d956e06c902d25826a6364c641404
MassLogger
error
MassLogger
f14c6f6b30e61683e8535d35e774a8cb819a0bcf405d97a6514074d14861b170
MassLogger
+ 296 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger collection discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/250910-k2ap8sgp6s/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
MassLogger
Masslogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot8249574412:AAEYI1aKTMsQBYXH4o8C5XnXqiv65jV2kC8/sendMessage?chat_id=6488172735
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dc6b473b-7394-4ac7-9d0d-4b9f06160d69
Unpacked files
SH256 hash:
aead3e1cb0db44b9594135a3a395c5d8e510bce1a0f938146df16a67d75a8e68
MD5 hash:
dc98af797491b42155c3def43aef79fd
SHA1 hash:
4e69ec7cd137d4f868f35c25795464ad5738abcd
Link:
https://www.unpac.me/results/02580f9d-7071-4aff-86e4-9c62bc42234b/
SH256 hash:
08ce10c17846656faa7ea428c7d962e8d58a288606e355a1c9a6d74d86c537c6
MD5 hash:
c86241d18c00d916f3847b3cb69b7a88
SHA1 hash:
c0a80776c8aaea90af281101665cf79d18f2116f
Detections:
win_404keylogger_g1
Create hunting rule
win_masslogger_w0
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/02580f9d-7071-4aff-86e4-9c62bc42234b/
Parent samples :
034de66fa09061895f96da260b2eeb73774d916830540d59a310ea3c5f64197a
3317dad166e61c92ef0c9b030d6174fda8842a0dc33fdeadd2bfd86ffcd5a01c
6e1b5766415cd5d8e7f92d995828f0bca174fc5141af7e59e73f92e057df0626
7f13aacf27f72555c75715896013a1cad6968603e8db181f775675786abbe45d
3aab9854341050b969aa81bb5ba790767b3c50a4053368e90e70f9c68260473c
1dfeb104751544afbe70f792ef95535246eba683cdf47f21cb62038f8b5d86d6
0dae2a3a734163ec368a271822356004e53f8556ad654956dfd7570a49ba2b20
bd3da5f97d8b35c43ec96dedb259484caf1de63a4c1a2091963cb60444ea2c36
51b036522abdbc3cd223aaa8dde959ae3f02b80bd1955f61442fcc8e15696a88
76cff505d993baaecd718a3b0de1814da0aef73ce932d95bacbc6d842db38807
d271fd8cdb9d18bb653545cee69547ca2c6114bf2e810b04d81734b323cacfe6
aead3e1cb0db44b9594135a3a395c5d8e510bce1a0f938146df16a67d75a8e68
SH256 hash:
a07218767cb37a2eb228ddf96d25724848f368c446abe6ad0813387dfc603f98
MD5 hash:
af22bb92639cb98b8f09382c32c478ac
SHA1 hash:
d97ed60de226af9876769ac2e94185cf1b25d676
Link:
https://www.unpac.me/results/02580f9d-7071-4aff-86e4-9c62bc42234b/
SH256 hash:
2381d0b58fa5ad3bbad0c02f510fc3e373475b8cc978c5c02ab0d8c927299e46
MD5 hash:
7daac806dc6110e67be9de4aa17b68b5
SHA1 hash:
ea7796199c15abc05ba4c73d967202410e741927
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/02580f9d-7071-4aff-86e4-9c62bc42234b/
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aead3e1cb0db/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aead3e1cb0db44b9594135a3a395c5d8e510bce1a0f938146df16a67d75a8e68

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Executable exe aead3e1cb0db44b9594135a3a395c5d8e510bce1a0f938146df16a67d75a8e68

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26666/

Comments