MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe2f3029c38f9e6797f91c7f560ed013262e9feebbd0cb3850222ab7d46c8c32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 15

Intelligence 15 IOCs YARA 30 File information Comments

SHA256 hash:	fe2f3029c38f9e6797f91c7f560ed013262e9feebbd0cb3850222ab7d46c8c32
SHA3-384 hash:	67f23ad22ab8803a9725af3eec58ba534d47a720c21162bd2da35d3f677901be550fc1d3db2cb24a892aa5af5d719399
SHA1 hash:	c32deacc5d6c72eb3d91fcdbcafafec063cc1250
MD5 hash:	58aec3d90035faeb66024ecb2c854480
humanhash:	louisiana-music-triple-utah
File name:	SATIN ALMA SİPARİŞİ İSTEĞİ_docx.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'099'776 bytes
First seen:	2025-05-14 11:27:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep	24576:dtb20pkaCqT5TBWgNQ7alPy8L1M5CpL6A:OVg5tQ7al5my5
Threatray	2'173 similar samples on MalwareBazaar
TLSH	T151359C22639D826FC3727173FA156701AE7F7C2506A0B45BEF94293DEB331211E1A663
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	lowmal3
Tags:	exe MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

464

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SATINALMASPARSTE_docx.exe

Verdict:

Malicious activity

Analysis date:

2025-05-14 11:31:11 UTC

Tags:

evasion snake keylogger telegram stealer

Link:

https://app.any.run/tasks/56d0d292-2e70-48ef-9be5-1f7547dc6133

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68247efe4a59e5a2ce047f5a

Tags:

underscore autoit emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Launching a process

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context autoit compiled-script fingerprint keylogger lolbin masquerade microsoft_visual_cc packed regsvr32 squirrel stealer

Link:

https://www.filescan.io/uploads/68247e1a8bd61140fb6ff3a4/reports/47140b97-591b-484b-a1fa-cebc5714a138/overview

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b7d10969-19bf-40cf-ba08-49ae8f5c7893

Result

Threat name:

VIP Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1689821

Signature

.NET source code references suspicious native API functions

Binary is likely a compiled AutoIt script file

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Sample uses process hollowing technique

Sample uses string decryption to hide its real strings

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Yara detected Telegram RAT

Yara detected VIP Keylogger

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/fe2f3029c38f9e6797f91c7f560ed013262e9feebbd0cb3850222ab7d46c8c32

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fe2f3029c38f9e6797f91c7f560ed013262e9feebbd0cb3850222ab7d46c8c32/

Threat name:

Win32.Trojan.AutoitInject

Status:

Malicious

First seen:

2025-05-14 07:14:40 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 37 (72.97%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7yxtakodr6pgpf7zdr7vmdwqcmtc5h7oxpimwocqeivlpvdmrqza._file

Verdict:

malicious

Label(s):

unc_loader_036

vipkeylogger

404keylogger

autoit

MassLogger

335aa3600ce2e5e7ee73b9a292e9ad19cff53c116ff07b247f421c6f223de7ae

MassLogger

347a0d230e0109c463ffb44cfb706db2efe40d6c5083c22e923cabcce3502713

MassLogger

6f8ee5830f1d488f16a500339d4de56479d89a4c2511328bb201014cabd9ad61

MassLogger

d2149ccd022111a63cc36ce70215f8dbf9afacce168c954bfeff9cc98a4592d9

MassLogger

error

MassLogger

+ 2'163 additional samples on MalwareBazaar

Result

Malware family:

vipkeylogger

Score:

10/10

Tags:

family:vipkeylogger collection discovery keylogger stealer

Link:

https://tria.ge/reports/250514-nklmysxxfw/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Browser Information Discovery

Program crash

System Location Discovery: System Language Discovery

AutoIT Executable

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

VIPKeylogger

Vipkeylogger family

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6da02faf-635f-4508-a9b7-940eb836b510

Unpacked files

SH256 hash:

fe2f3029c38f9e6797f91c7f560ed013262e9feebbd0cb3850222ab7d46c8c32

MD5 hash:

58aec3d90035faeb66024ecb2c854480

SHA1 hash:

c32deacc5d6c72eb3d91fcdbcafafec063cc1250

Link:

https://www.unpac.me/results/db7d04cc-da17-40b3-958b-ada75597d09f/

SH256 hash:

24dca864141228f451ee382b2bcd47298fd0ec7ae656e780478b4ff679aa6f3f

MD5 hash:

17449cc27fbb76f51f78c4032a86f839

SHA1 hash:

01fe04fcc5250c28bf9fe8e336539a96848b475d

Detections:

win_404keylogger_g1

win_masslogger_w0

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Link:

https://www.unpac.me/results/db7d04cc-da17-40b3-958b-ada75597d09f/

Parent samples :

2f5ddc948bb23c9c0798e16b92bc8434922800a11b503643fd7f490a9f16da06
f0ea203238500f03663733e31fea8cebb0d7c72af6d6f3578e1f67c6c532d028
6f8ee5830f1d488f16a500339d4de56479d89a4c2511328bb201014cabd9ad61
fe2f3029c38f9e6797f91c7f560ed013262e9feebbd0cb3850222ab7d46c8c32
147df6d9002c2a3d567f521595f16251f12b7e8d2adecab583a349aa95818736
0a36f604c1dfb7297c21f2b74600caa5df81ae43c9c1824e4a8de425b0dfaede
6fe914c71774d81a9ab4bc2b23a80aaa0f164c4d2d34f441ff95b546a3205afe
3c71dc69770af48af03effe50dbbbd246b8168d7e0fa5211b622759fcb6c0e3e
e91741f5f641f834836a6ce849bbf6563aa14fa4b686b6db3255a5e43c81d8f6
348379e04d8c9defb167f9b86bdabbab2ac4f95ea7ee6b1ea2bed36eafc62c95
54e2bde839e16579f55ca4ebd209bce0dab579ecd90e0c7d7efb85ea31cb357f
29fdb6bb8fa31427adbdadbbfe4aadf63ddea46f356a1382e8d68a1d3dcff8cf
e2528ff769b71dede661504e3af25efaaaa8bbc5983f0ecb5b70dca7451b2a8f
5f6e993861f9f97e0a51d060965c669fe94a00efcf2a03152ea5a53f67cb8756
316e340b6adade7f5a9a3ad9c620d7c9bcf900d08cfcec28e8d3b6dc2b6e5a1e
1c82d7afb5165833d07383fbdfc7daf78a19d527cd84bc24b3dbbc2035582472
ad94f1a913b31ec1412a784e2f5eda3b9e2d4f09f01b1162ec6a7a39516c47d2
131e7a58c7eef929455150072f714c30c3136b950297f6d8dffa6189499d8a73

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fe2f3029c38f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fe2f3029c38f9e6797f91c7f560ed013262e9feebbd0cb3850222ab7d46c8c32

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

Rule name:	YahLover Create hunting rule
Author:	Kevin Falcoz
Description:	YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

exe fe2f3029c38f9e6797f91c7f560ed013262e9feebbd0cb3850222ab7d46c8c32

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::CopySid ADVAPI32.dll::FreeSid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::GetAce
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoCreateInstanceEx ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::mciSendStringW WINMM.dll::timeGetTime WINMM.dll::waveOutSetVolume
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AddAce ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::CheckTokenMembership ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetAclInformation ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW
WIN32_PROCESS_API	Can Create Process and Threads	ADVAPI32.dll::CreateProcessAsUserW KERNEL32.dll::CreateProcessW ADVAPI32.dll::CreateProcessWithLogonW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::SetSystemPowerState KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW IPHLPAPI.DLL::IcmpCreateFile KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LogonUserW ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_API	Supports Windows Networking	MPR.dll::WNetAddConnection2W MPR.dll::WNetUseConnectionW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegConnectRegistryW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_USER_API	Performs GUI Actions	USER32.dll::BlockInput USER32.dll::CloseDesktop USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::FindWindowW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample