MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9712e2e976a5fc4ca7c0f7b590ae38589c6b50e94079b260ce390e56cb02a0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA 25 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9712e2e976a5fc4ca7c0f7b590ae38589c6b50e94079b260ce390e56cb02a0f
SHA3-384 hash: 5de23f48f6c88e16d71bbe99c36f8821b856b39cdb6592dce6bbd1a73b518bbd7a7f4caa2b97a9bc2a30c495c12d0447
SHA1 hash: 82d2a3b8258f0fd8596ce21770dbed467b6a4c01
MD5 hash: e7094ed1b188752c7ca62dbd55717a81
humanhash: thirteen-winter-ten-india
File name:ps_mkdNhoKsjB9E_1777388669163.ps1
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'114'636 bytes
First seen:2026-04-28 20:16:21 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 24576:penAGyZ7PDSlv8DaqshxNRQldkh2p6YPNQArBkR5RCBNlKb:ZPM8ORrN+kqXNLGB
Threatray 2'864 similar samples on MalwareBazaar
TLSH T18D3533226E526DE5C76CE375DDBE9B3D839A56A6500960C398C102F3DB6334B4E8FC18
Magika powershell
Reporter BastianHein
Tags:MassLogger ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
CL CL
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Other.Malware-gen.38443916.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
aspnet_compiler base64 base64 encrypted evasive lolbin obfuscated powershell reconnaissance
Link:
https://www.filescan.io/uploads/69f115bf81aa9ec3bc300be9/reports/29e3937a-cc3c-479f-aad4-83e685ddaaed/overview
Verdict:
Suspicious
Labled as:
PowerShell/Kryptik.MD trojan
Link:
https://www.hybrid-analysis.com/sample/c9712e2e976a5fc4ca7c0f7b590ae38589c6b50e94079b260ce390e56cb02a0f
Verdict:
Malicious
File Type:
ps1
First seen:
2026-04-28T06:03:00Z UTC
Last seen:
2026-04-28T17:23:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.InjectorNetT.s PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/c9712e2e976a5fc4ca7c0f7b590ae38589c6b50e94079b260ce390e56cb02a0f/results?tab=lookup
Score:
64%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/c9712e2e976a5fc4ca7c0f7b590ae38589c6b50e94079b260ce390e56cb02a0f
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9712e2e976a5fc4ca7c0f7b590ae38589c6b50e94079b260ce390e56cb02a0f/
Verdict:
Malicious
Threat:
Family.SNAKE
Link:
https://tip.neiki.dev/file/c9712e2e976a5fc4ca7c0f7b590ae38589c6b50e94079b260ce390e56cb02a0f
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zfys4luxnjp4jst4b55vscxdqwe4nniosqdzwjqm4oiok3fqfihq._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
Similar samples:
2f3400ebe9efe2b533afadd9ba9b578315519166f96dc3cd9a2f41eb5d8f483b
MassLogger
403bc4d2748b2509bfacbb35909bf6ec6e6ee37ed729533018d57b9b418970fe
MassLogger
430db4a8d31d11fa0d1fbca809061988adde96754a2594b4abdf474471fe2c18
MassLogger
619fecd78af21d2a8e9278c744b519a7c1d69c753544964d70dfa3c7c54e1565
MassLogger
68dd97817032c05c6123e53bb7e4139e5c2d4895aaa343d4cff5ba2ab7f257b6
MassLogger
7db983607b14ea67a3d656542e033ba69fdbd3a4bcb7bea0251205d219ab71bd
MassLogger
error
MassLogger
+ 2'854 additional samples on MalwareBazaar
Result
Malware family:
vipkeylogger
Create hunting rule
Score:
  10/10
Tags:
family:vipkeylogger collection discovery execution keylogger stealer
Link:
https://tria.ge/reports/260428-y2ntrahz7n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Family: VIPKeylogger
Malware Config
C2 Extraction:
https://api.telegram.org/bot8071660627:AAFb60NRq4wg_o7DhXUr5cIhpwAsiUS1IlI/sendMessage?chat_id=5630866666
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:TelegramAPIMalware_PowerShell_EXE
Create hunting rule
Author:@polygonben
Description:Hunting for pwsh malware using Telegram for C2
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:VIPKeyLogger
Create hunting rule
Author:kevoreilly
Description:Detects VIPKeyLogger Keylogger
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments