MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7dc07e0d676315ed978812421a61050ab7e8f46b59fc1d9be168da13fe6b82f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 15

Intelligence 15 IOCs YARA 19 File information Comments

SHA256 hash:	e7dc07e0d676315ed978812421a61050ab7e8f46b59fc1d9be168da13fe6b82f
SHA3-384 hash:	dff42ce9c17ebddea5408b84a647ba9e759ad644cf7f334c0f8d59977a284c6b2d1b907821c966f2d1ba1b95d0eaff99
SHA1 hash:	135331b97aa4f4d5dd1c9b86cfea03a6e25ab475
MD5 hash:	55107e6b83a71354d5617b20bd601aec
humanhash:	beer-seventeen-cup-skylark
File name:	e7dc07e0d676315ed978812421a61050ab7e8f46b59fc1d9be168da13fe6b82f
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	542'216 bytes
First seen:	2025-11-06 11:23:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:eFbQcQ/yK9fFAm9489sSOfBY6DZh5TdBxDiAaRtTkR:kQccJ99NyTpDH/+xi
Threatray	2'705 similar samples on MalwareBazaar
TLSH	T1F6B4026037A5E903D6D157F12EB2F1751BB8BDD4A800E682AED96FDBB8D1F104D00A47
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	adrian__luca
Tags:	exe MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

137

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

5fbbd5d8-c8a1-4915-b306-43ab3f515890.zip

Verdict:

Malicious activity

Analysis date:

2025-10-27 04:18:31 UTC

Tags:

arch-email arch-exec snake keylogger stealer evasion auto-sch-xml telegram ims-api generic

Link:

https://app.any.run/tasks/7202c9b3-2c0e-4f97-8119-520fd7345db7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/36157/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690c8550ea0f3e915c238e93

Tags:

spawn shell msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

DNS request

Creating a window

Gathering data

Verdict:

Malicious

Labled as:

Trojan.GenericS

Link:

https://www.hybrid-analysis.com/sample/e7dc07e0d676315ed978812421a61050ab7e8f46b59fc1d9be168da13fe6b82f

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-27T00:18:00Z UTC

Last seen:

2025-11-07T17:20:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/e7dc07e0d676315ed978812421a61050ab7e8f46b59fc1d9be168da13fe6b82f/results?tab=lookup

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/17125646-5885-4e33-9256-ddeb4e225bc1

Score:

95%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e7dc07e0d676315ed978812421a61050ab7e8f46b59fc1d9be168da13fe6b82f

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.39 Win 32 Exe x86

Link:

https://app.malva.re/file/55107e6b83a71354d5617b20bd601aec

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e7dc07e0d676315ed978812421a61050ab7e8f46b59fc1d9be168da13fe6b82f/

Threat name:

ByteCode-MSIL.Backdoor.FormBook

Status:

Malicious

First seen:

2025-10-27 03:16:57 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=47oapygwoyyv5wlyqescdjqqkcvx5d2gwwp4dwn6c2g2cp7gxaxq._file

Verdict:

malicious

Label(s):

novastealer

unc_loader_037

xworm

MassLogger

4cf6adbd484317ea9575c236291b11a675a0b03246646df502ffc1623c9f3bed

MassLogger

87d796dd3caceed0e5c80d06fab6fc2c8ba14591cd92848ad137040b0c2a0647

MassLogger

e04812a41b547180ad6a5d317c837285ffbcc947bcd2828bb0f7889a5605dd56

MassLogger

+ 2'695 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

family:masslogger collection discovery execution persistence spyware stealer

Link:

https://tria.ge/reports/251106-nhbd7swmcp/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Executes dropped EXE

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

MassLogger

Masslogger family

Malware Config

C2 Extraction:

https://api.telegram.org/bot7910311526:AAEn5doit3APLTHTBsAxIx_YHMTZbEuOtRo/sendMessage?chat_id=6712961026

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/abe88593-1ec1-4ec7-8c35-31d85fa13e97

Unpacked files

SH256 hash:

e7dc07e0d676315ed978812421a61050ab7e8f46b59fc1d9be168da13fe6b82f

MD5 hash:

55107e6b83a71354d5617b20bd601aec

SHA1 hash:

135331b97aa4f4d5dd1c9b86cfea03a6e25ab475

Link:

https://www.unpac.me/results/c1e480b5-05ec-45b9-b315-605a57116d43/

SH256 hash:

3e388d7a3b474b7e9fb6a2bf4347bf47ce334604f29a37dca2dff897e445b029

MD5 hash:

34a9ddb921602639853cbe1a494b6ce0

SHA1 hash:

29ccede7b9abaeadf02dcc854028f986b086a786

Detections:

win_404keylogger_g1

win_masslogger_w0

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/c1e480b5-05ec-45b9-b315-605a57116d43/

Parent samples :

b118fff1b6ca5b742655af56712876b102e632c1623091ebd3cc9a8d1a639f84
6d7ebc63612ebfeffbfb03e9e728b9b9876562b816d3cb308e69a59d754c3aa5
3ae5ddb418430865c8d6db4829ba272a06d3770f7fecb624affd6a1ad648415b
e7dc07e0d676315ed978812421a61050ab7e8f46b59fc1d9be168da13fe6b82f

SH256 hash:

a94300bda9189abc3b9a26ef91a92d5cb8bf05d0770f6f702f20813a6e3358c1

MD5 hash:

d6455a4f7f7db0c4280ab5ad5bc077e5

SHA1 hash:

493dc4d02ceb374e4b335c1fb74f8ca9dcd370f8

Link:

https://www.unpac.me/results/c1e480b5-05ec-45b9-b315-605a57116d43/

SH256 hash:

f56daa742b05c2845f271243586da20d08b00c18adbc5eca93e3f2088465ccbe

MD5 hash:

580fb5632db5b074b56190718298e747

SHA1 hash:

79fae106fa55aa0ded95f22a469f13180b57e667

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/c1e480b5-05ec-45b9-b315-605a57116d43/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e7dc07e0d676315ed978812421a61050ab7e8f46b59fc1d9be168da13fe6b82f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	TelegramAPIMalware_PowerShell_EXE Create hunting rule
Author:	@polygonben
Description:	Hunting for pwsh malware using Telegram for C2

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/36157/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample