MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 edec5c9ee9d9d8d6ff53c23fd2f066c06ea4dedd34b6e50720c82caeb6987e67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MaskGramStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: edec5c9ee9d9d8d6ff53c23fd2f066c06ea4dedd34b6e50720c82caeb6987e67
SHA3-384 hash: 79b9a56bbfc584aa19421dc5e4f25d3d3cda88a09a0b4f17eaec0eedd6c22d4e411c862b5a2cf0609c5d9e39a8c927d2
SHA1 hash: 6b5308756514763109d550027f71a4213bd27ec0
MD5 hash: 8612a177a8ff13e3dd9e34f9334055c5
humanhash: yellow-stream-oven-high
File name:file
Download: download sample
Signature MaskGramStealer
Create hunting rule
File size:52'736 bytes
First seen:2025-09-15 04:01:45 UTC
Last seen:2025-09-15 04:02:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d7e66fefa3e0c8237e2da5aa4296f710 (1 x MaskGramStealer)
ssdeep 768:08TYp16I3+l+u5ScTF9uXc33xIjQduq4rZijziaPvdEZlrmNF91AM:08Tcb4r5ScTFNRaM423EZlrw91A
TLSH T18B331A5BF66284F8C82AE074DEF6453A97F2B9D00139774F15141E737E34A20EB0EA46
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe MaskGramStealer


Avatar
Bitsight
url: http://178.16.54.200/files/6225437203/XgIMKPf.exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
90
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
2to1ep.bin.zip
Verdict:
Malicious activity
Analysis date:
2025-09-15 02:49:04 UTC
Tags:
auto metasploit framework python github amadey botnet stealer anti-evasion smb xenorat rat miner phishing meterpreter backdoor payload remote gh0st clickfix lumma possible-phishing loader quasar tinynuke njrat bladabindi generic agenttesla cobaltstrike tool purelogsstealer redline xworm havoc koadic evasion stormkitty pyinstaller formbook vidar coinminer vipkeylogger keylogger stealc anydesk rmm-tool networm amus masslogger nanocore neshta worm gcleaner sliver telegram loki ransomware snake aurotun hijackloader asyncrat pythonstealer purecrypter frp diamotrix clipper arch-exec darkroad
Link:
https://app.any.run/tasks/ac5e8134-51fd-4f3d-b47a-62fd8efbb338

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27443/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c780abe579c633a4b5477d
Tags:
ransomware emotet virus remo
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/68c7903cdbc6f5a29c44d852/reports/7994e85e-844f-494b-be2b-6ae6a92effc5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/edec5c9ee9d9d8d6ff53c23fd2f066c06ea4dedd34b6e50720c82caeb6987e67
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-15T00:08:00Z UTC
Last seen:
2025-09-15T00:08:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/edec5c9ee9d9d8d6ff53c23fd2f066c06ea4dedd34b6e50720c82caeb6987e67/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6cf0a6b3-1f00-41c0-a47e-d31c88e9e281
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/edec5c9ee9d9d8d6ff53c23fd2f066c06ea4dedd34b6e50720c82caeb6987e67
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/8612a177a8ff13e3dd9e34f9334055c5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/edec5c9ee9d9d8d6ff53c23fd2f066c06ea4dedd34b6e50720c82caeb6987e67/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/edec5c9ee9d9d8d6ff53c23fd2f066c06ea4dedd34b6e50720c82caeb6987e67
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-15 02:32:47 UTC
File Type:
PE+ (Exe)
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5xwfzhxj3hmnn72tyi75f4dgybxkjxw5gs3okbzazawk5nuypztq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/250915-em282ssmx5/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Accesses cryptocurrency files/wallets, possible credential harvesting
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ba486ce7-c7d1-427d-bf7e-8f14805af4fd
Unpacked files
SH256 hash:
edec5c9ee9d9d8d6ff53c23fd2f066c06ea4dedd34b6e50720c82caeb6987e67
MD5 hash:
8612a177a8ff13e3dd9e34f9334055c5
SHA1 hash:
6b5308756514763109d550027f71a4213bd27ec0
Link:
https://www.unpac.me/results/598bd66d-d5d6-466d-bc44-99478ad49538/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/edec5c9ee9d9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/edec5c9ee9d9d8d6ff53c23fd2f066c06ea4dedd34b6e50720c82caeb6987e67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Debugger
Create hunting rule
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MaskGramStealer

Executable exe edec5c9ee9d9d8d6ff53c23fd2f066c06ea4dedd34b6e50720c82caeb6987e67

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3624250/
Cape
Cape
https://www.capesandbox.com/analysis/27443/

Comments