MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf820bcfb66765cebc8af802b23675880be83586295bef0a1c825539f2530104. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MaskGramStealer

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	bf820bcfb66765cebc8af802b23675880be83586295bef0a1c825539f2530104
SHA3-384 hash:	d8799926d52617a980e3ffccba689fe96c537e068d1afd2f9a4f9adc0e9b38f0e7e8f8ec1928c1fe00cf0c6980da3af8
SHA1 hash:	33b06fa736d9d8d5258db8fbb0568ef5ed96d559
MD5 hash:	ff9ed50ab84b4b50d343ae3eb9f716d9
humanhash:	march-quebec-sink-green
File name:	file
Download:	download sample
Signature	MaskGramStealer Create hunting rule
File size:	135'680 bytes
First seen:	2026-02-11 22:25:28 UTC
Last seen:	2026-02-11 23:20:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	23a4af79dd7d05d0297656b7db50d6c7 (1 x MaskGramStealer)
ssdeep	3072:AvD2Ui/DY4O7CgiP9/REOcOwzu/vYtEpoRUnl/tPBGPE:AvD21s7CgiP9pEPJu/vLnl16E
TLSH	T17ED31863A89184F8D82AC57489D7A23E69F7B8910579768E1DE09F021F73B70F31CB49
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey e3db0b exe MaskGramStealer

Bitsight

url: http://178.16.53.7/xxx2ddhqej7r.exe

Intelligence

File Origin

# of uploads :

# of downloads :

159

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

Svit

Details

Svit

an xor decoded default c2 address and dead-drop resolver urls

Link:

https://research.acce.ciphertechsolutions.com/results/91add578-dc5e-42c4-abc4-b3ce7526637f/

Malware family:

n/a

ID:

File name:

PaypalBruterv1.0.exe

Verdict:

Malicious activity

Analysis date:

2026-02-11 20:59:10 UTC

Tags:

telegram auto-reg auto-sch maskgram stealer python crypto-regex

Link:

https://app.any.run/tasks/b101880f-2278-48ee-92fd-c3caf5240789

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/53071/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=698d0206edd93271034605e8

Tags:

trojan crypt hype

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug base64 fingerprint mingw packed

Link:

https://www.filescan.io/uploads/698d0205930564ff3c9b1bba/reports/9eda2697-dd52-4f0e-a3f2-1a775ab4baa7/overview

Verdict:

Malicious

Labled as:

Mint.Zard.Generic

Link:

https://www.hybrid-analysis.com/sample/bf820bcfb66765cebc8af802b23675880be83586295bef0a1c825539f2530104

Result

Gathering data

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/8de70650-47a0-4bef-ad9f-a6533ed27148

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/bf820bcfb66765cebc8af802b23675880be83586295bef0a1c825539f2530104

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/ff9ed50ab84b4b50d343ae3eb9f716d9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bf820bcfb66765cebc8af802b23675880be83586295bef0a1c825539f2530104/

Threat name:

Win64.Trojan.MaskGramStealer

Status:

Malicious

First seen:

2026-02-11 20:59:04 UTC

File Type:

PE+ (Exe)

AV detection:

11 of 36 (30.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=x6baxt5wm5s45pek7ablentvraf6qnmgffn66cq4qjktt4staeca._file

Result

Malware family:

maskgram_stealer

Score:

10/10

Tags:

family:maskgram_stealer discovery spyware stealer

Link:

https://tria.ge/reports/260211-2ck84scs5g/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

System Time Discovery

Drops file in Windows directory

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads WinSCP keys stored on the system

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Detects MaskGramStealer payload

MaskGramStealer

Maskgram_stealer family

Unpacked files

SH256 hash:

bf820bcfb66765cebc8af802b23675880be83586295bef0a1c825539f2530104

MD5 hash:

ff9ed50ab84b4b50d343ae3eb9f716d9

SHA1 hash:

33b06fa736d9d8d5258db8fbb0568ef5ed96d559

Link:

https://www.unpac.me/results/1059adfc-1515-4c4b-a25c-c0755b203708/

Malware family:

MaskGramStealer

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bf820bcfb667/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MaskGramStealer

exe bf820bcfb66765cebc8af802b23675880be83586295bef0a1c825539f2530104

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3776058/

Cape

https://www.capesandbox.com/analysis/53071/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample