MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eaf6f9bf7233e2ef0ae136bdf09eb78d494568b277f7aa53a73830a070ebaaa1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MaskGramStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 15 File information Comments

SHA256 hash:	eaf6f9bf7233e2ef0ae136bdf09eb78d494568b277f7aa53a73830a070ebaaa1
SHA3-384 hash:	9e9e67f0cdf3a262d58bd37cf574de493fcf6280af25b419783774eb19ba288013e64c5d97a0a322a32def4630a2076a
SHA1 hash:	cb693d8d428f549e17f62206126e3c46b91c93e3
MD5 hash:	76a856dc0693c07cea7c94e6bc85fcbb
humanhash:	black-don-pip-november
File name:	loader.exe
Download:	download sample
Signature	MaskGramStealer Create hunting rule
File size:	344'576 bytes
First seen:	2025-10-15 19:46:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3df037d482ab9fca35b272db57fa1128 (3 x Rhadamanthys, 1 x MaskGramStealer)
ssdeep	6144:0m+j+Hzhw70XE8ph76kPOlpPFcFyUbSkxLohRmeNw8t:0m+jUPth76iOlptsyUGkOhFNT
Threatray	4 similar samples on MalwareBazaar
TLSH	T1B974AD04A2D148D3FD6786B859505A00E5B3B861AB31FBFF03B4838B1E177E45A3E769
TrID	63.5% (.EXE) Win64 Executable (generic) (10522/11/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	burger
Tags:	exe MaskGramStealer

Intelligence

File Origin

# of uploads :

# of downloads :

147

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

loader.exe

Verdict:

Suspicious activity

Analysis date:

2025-10-15 19:43:52 UTC

Tags:

telegram stealer

Link:

https://app.any.run/tasks/41251f17-3173-483a-a4ef-fcaf38622929

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/32963/

Verdict:

Malicious

Score:

94.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68eff9f997a16d00a8da4e48

Tags:

ransomware emotet

Result

Verdict:

Clean

Maliciousness:

Behaviour

DNS request

Connection attempt

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

microsoft_visual_cc packed

Link:

https://www.filescan.io/uploads/68effa263fe1a004456a5db2/reports/8d1703b8-56af-4463-82f9-c2cdec7d3d76/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/eaf6f9bf7233e2ef0ae136bdf09eb78d494568b277f7aa53a73830a070ebaaa1

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-10-15T16:49:00Z UTC

Last seen:

2025-10-15T17:29:00Z UTC

Hits:

~10

Detections:

UDS:DangerousObject.Multi.Generic

Link:

https://opentip.kaspersky.com/eaf6f9bf7233e2ef0ae136bdf09eb78d494568b277f7aa53a73830a070ebaaa1/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/d4203308-4910-44fd-b599-d1ecddc85a2f

Result

Threat name:

n/a

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1796061

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject threads in other processes

Creates a thread in another existing process (thread injection)

Found API chain indicative of debugger detection

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected GenericBackdoor

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/eaf6f9bf7233e2ef0ae136bdf09eb78d494568b277f7aa53a73830a070ebaaa1

Verdict:

inconclusive

YARA:

3 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/76a856dc0693c07cea7c94e6bc85fcbb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/eaf6f9bf7233e2ef0ae136bdf09eb78d494568b277f7aa53a73830a070ebaaa1/

Verdict:

Malicious

Threat:

Win64.Malware.Heuristic

Link:

https://tip.neiki.dev/file/eaf6f9bf7233e2ef0ae136bdf09eb78d494568b277f7aa53a73830a070ebaaa1

Threat name:

Win64.Trojan.Lazy

Status:

Malicious

First seen:

2025-10-15 19:46:03 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5l3ptp3sgpro6cxbg267bhvxrveuk2fso732uu5hhayka4hlvkqq._file

Verdict:

malicious

Label(s):

plugdisk

MaskGramStealer

29e59d1526220178f6809d6b84a8147a09924a7a33ad29f7b6e206b9ad116820

MaskGramStealer

eaf6f9bf7233e2ef0ae136bdf09eb78d494568b277f7aa53a73830a070ebaaa1

MaskGramStealer

error

MaskGramStealer

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/251015-yhbp3s1shs/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Accesses cryptocurrency files/wallets, possible credential harvesting

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/4bb10546-fe9c-4a06-93fa-56516791325b

Unpacked files

SH256 hash:

eaf6f9bf7233e2ef0ae136bdf09eb78d494568b277f7aa53a73830a070ebaaa1

MD5 hash:

76a856dc0693c07cea7c94e6bc85fcbb

SHA1 hash:

cb693d8d428f549e17f62206126e3c46b91c93e3

Link:

https://www.unpac.me/results/650e2c94-362f-484a-8ee2-b079cd9c0801/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/eaf6f9bf7233/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/eaf6f9bf7233e2ef0ae136bdf09eb78d494568b277f7aa53a73830a070ebaaa1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_Debugger Create hunting rule

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	ReflectiveLoader Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/32963/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample