MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d7816bff46972a67b92977ed817bf9ba3bf868d844074883fdc1630678c94f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d7816bff46972a67b92977ed817bf9ba3bf868d844074883fdc1630678c94f4
SHA3-384 hash: 2211efa02ba2f80b0fb0502b2fad8cf5608c8ed7e20beab7a37f0598addc393eb29548caa918c7b60eb8bf5700c1b19c
SHA1 hash: 8d6928bfbafc059a959bf51f7a059685d21e4e30
MD5 hash: 1139ba93ba195722315cc3b90c3df9d8
humanhash: muppet-venus-dakota-foxtrot
File name:Payment attachment.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:549'888 bytes
First seen:2024-10-09 02:50:58 UTC
Last seen:2024-10-09 03:28:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:BnC9fvjR2ukw/tSDlpJkIoEdMRSLghEPk34e2c2vmEO:yfvN2ukw/wpJkIoEdMACgu49OE
Threatray 257 similar samples on MalwareBazaar
TLSH T1CAC4F16C6205D107C87AABB819B2F2B4176D5EEEB502D3039FD96DFB796AF104C44283
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter cocaman
Tags:exe MassLogger payment

Intelligence

File Origin
# of uploads :
5
# of downloads :
391
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment attachment.exe
Verdict:
Malicious activity
Analysis date:
2024-10-09 02:53:07 UTC
Tags:
evasion snake keylogger telegram
Link:
https://app.any.run/tasks/22e474fc-eb97-4127-856c-fdafa6bf952c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.27220.14549.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6705ef9ba69182ddbe5d15c4
Tags:
Backdoor Exploit Hype
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0d7816bff46972a67b92977ed817bf9ba3bf868d844074883fdc1630678c94f4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0bb0145d-9375-4824-95bc-927681280f79
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1529565
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0d7816bff46972a67b92977ed817bf9ba3bf868d844074883fdc1630678c94f4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d7816bff46972a67b92977ed817bf9ba3bf868d844074883fdc1630678c94f4/
Threat name:
ByteCode-MSIL.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2024-10-09 02:35:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bv4bnp7unfzkm64ss57nqf57tor37bunqrahjcb73qldaz4mst2a._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
404keylogger
Create hunting rule
snakekeylogger
Create hunting rule
Similar samples:
0d7816bff46972a67b92977ed817bf9ba3bf868d844074883fdc1630678c94f4
MassLogger
0d89ebfc019f155ecbb5f5fb49dc172741f17de763013f2abb39b9ee3d5cc433
MassLogger
5d3125c5df560d899a483b65d52860905b9e0d85daa29ea96327c02aa8f4cd87
MassLogger
78b3e10f355de8a780c69cc622dd3bc529365ff5fa141eb291112ee7b2ef2a94
MassLogger
935a99d2fbb4053dadbfe9da227f4019d0807785bb193e56e719b7583f49b1ea
MassLogger
error
MassLogger
+ 247 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery spyware stealer
Link:
https://tria.ge/reports/241009-db6awsxajn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
snake_keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/0081a21a-a29d-4b75-8362-78e8eb85f626
Unpacked files
SH256 hash:
fdc50cb7f36aad6bffb26f5531fb0b6d1ef635baffc1f91a3ea1b3ec7571a458
MD5 hash:
3a65474388ad24cd4e1c4e538ada1110
SHA1 hash:
bb6e5b835b1884e95712e6af2a6b853a40bb670f
Detections:
win_masslogger_w0
Create hunting rule
win_404keylogger_g1
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Link:
https://www.unpac.me/results/a0c20ac0-0d05-47cd-83fd-17c7f804d0e5/
Parent samples :
0d7816bff46972a67b92977ed817bf9ba3bf868d844074883fdc1630678c94f4
b1520b6a3358bbcad7d55344f3d7bd2e75a9075ef4afd3f7c23de5def92daad0
d356e576ddb8d4268bd6b15175273d3f445ae8a923b3b2efb3f5231515da2f5f
SH256 hash:
0f5ddeb67577881b44d6dbb77058f56a9d0c084db614faac0045164c2d66bf1d
MD5 hash:
802eb445ed4919e000349df439d4ab31
SHA1 hash:
4139e7f3a08519910dcbbf8e016f92a3b917daab
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/a0c20ac0-0d05-47cd-83fd-17c7f804d0e5/
SH256 hash:
682c261fcd08c676ef231f46eac1c054c8df17522846b9e4adbafb62e8482dab
MD5 hash:
5a6cead6de3340dd9e0b16d599e5d1f5
SHA1 hash:
00e25f93284ff0d2493c6df3a596891d0848399e
Link:
https://www.unpac.me/results/a0c20ac0-0d05-47cd-83fd-17c7f804d0e5/
SH256 hash:
0d7816bff46972a67b92977ed817bf9ba3bf868d844074883fdc1630678c94f4
MD5 hash:
1139ba93ba195722315cc3b90c3df9d8
SHA1 hash:
8d6928bfbafc059a959bf51f7a059685d21e4e30
Link:
https://www.unpac.me/results/a0c20ac0-0d05-47cd-83fd-17c7f804d0e5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0d7816bff46972a67b92977ed817bf9ba3bf868d844074883fdc1630678c94f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip 6888c7a37dff5188684abf6bec4750cdcfd357012e03c2a5c250ff65226f86db

MassLogger

Executable exe 0d7816bff46972a67b92977ed817bf9ba3bf868d844074883fdc1630678c94f4

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 6888c7a37dff5188684abf6bec4750cdcfd357012e03c2a5c250ff65226f86db
  
Dropped by
MD5 d88d5b7064c1f9e185e26c36fb6353fb

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments